Secretary of the U.S. Department of Health and Human Services Tom Price has announced that certain HIPAA compliance violation penalties will be waived in the disaster area of Hurricane Harvey in Texas and Louisiana.
Following any natural disaster, hospitals and health systems must operate in difficult circumstances. During such times, it can be a major challenge to provide treatment while complying with all aspects of HIPAA Rules. With resources stretched, HIPAA Privacy Rule violations can easily occur.
In emergencies situations, such as when healthcare organizations are required to assist in disaster relief efforts, HIPAA Rules must still be followed. The HIPAA Privacy Rule is not suspended in such situations, although the HHS Secretary can waive certain provisions of the HIPAA Privacy Rule.
Following the announcement by President Trump that a disaster area exists in Texas and Louisiana, Secretary Price announced that certain sanctions and penalties for HIPAA Privacy Rule violations would be waived. The waiver only applies to hospitals in the disaster area for the emergency period identified in the public health emergency declaration and applies for up to 72 hours following the implementation of a hospital’s disaster protocol. If the disaster protocol has not been implemented, the waiver does not apply.
Termination of the Presidential or Secretarial declaration will see the waiver period end, even if it is within 72 hours of a hospital instituting its disaster protocol.
The waiver does not apply to all provisions of the Privacy Rule, only the following elements:
- 45 CFR 164.510(b) – the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- 45 CFR 164.510(a) – the requirement to honor a request to opt out of the facility directory.
- 45 CFR 164.520 – the requirement to distribute a notice of privacy practices.
- 45 CFR 164.522(a) – the patient’s right to request privacy restrictions.
- 45 CFR 164.522(b) – the patient’s right to request confidential communications.
In a recent HIPAA bulletin announcing the waiver, the HHS points out that even when a waiver has not been issued, the HIPAA Privacy Rule does allow patient health information to be shared for treatment purposes. Covered entities are permitted to disclose patient’s protected health information to provide treatment to the patient or another patient in the same emergency situation. PHI can also be shared for the coordination or management of healthcare, consultation with other healthcare providers, and for referring patients for treatment.
Covered entities can also share PHI with public health authorities to ensure the health and safety of patients or the public without individual authorization, such as with a public health authority such as the CDC or a state health department. Disclosures can also be made to family, friends and others involved in a patient’s care, although restrictions do apply.
Further information on allowable disclosures and uses of PHI in emergency situations are detailed in the HIPAA bulletin.
The HHS points out that the HIPAA Privacy Rule only applies to HIPAA covered entities and their business associates, and does not, for instance, apply to the American Red Cross, which is permitted to share patients’ health information although such organizations may be bound by state/federal rules other than HIPAA.