HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year.

The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma  and, as was the case in those instances, the waiver only applies to covered groups in areas where a public health emergency has been declared, only for 72 hours following the beginning of the hospital’s disaster protocol and only for specific provisions of the HIPAA Privacy Rule:

  • The requirements to receive a person’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to respect wishes to be excluded from the facility directory. See 45 CFR 164.510(a).
  • The requirement to broadcast a notice of privacy policies. See 45 CFR 164.520.
  • The patient’s right to ask for privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to ask for confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has expired, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered groups must comply with the above particulars of the Privacy Rule for all patients still being treated by them.

If you would like to see more information on the HIPAA waiver click here.

In the case of an emergency, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not completely necessary, although such a waiver does offer some reassurance to covered groups or companies that are operating in a disaster area.

The HHS has remarked out in its recent broadcast that in cases of emergency, covered entities are allowed to share limited protected health data of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help locate patients, to help find family members and for public health activities. In the case of the latter, it is allowable to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or limiting disease, injury or disability.

PHI can also be shared for the reasons relating to treatment, either the treatment of the patient or another individual who may be affected by the same situation, as well as to assit with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when sending patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be shared with any person, as necessary, to prevent or minimize a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent possible harm. Such disclosures can be made without the patient’s expressed permission. It is left to the discretion of the covered body to make a decision regarding the nature and severity of the threat to health – 45 CFR 164.512(j).

Disclosures can be made to family, friends, and other people involved in a patient’s treatment and information can be shared to help find, locate, and notify family members, guardians, or others responsible for a patient’s treatment – 45 CFR 164.510(b).

When others not involved in the care of a patient, including the media, seek information about a particular patient by name, a HIPAA-covered body is allowed to release “limited facility directory information” and provide general data about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the treatment facility, provided the patient has not sought to have the information be kept private.

In every case, any disclosures must be kept to the minimum possible information to achieve the purpose for which the information is released. At all times, even in cases of severe emergency, the HIPAA Security Rule requirements apply and covered bodies must continue to ensure administrative, physical, and technical measures are in place to maintain the confidentiality, integrity, and availability of personal health information.

Author: Maria Perez