A limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida.
OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have been temporarily waived in line Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.
Should a hospital in the disaster zone not comply with the following stated aspects of the HIPAA Privacy Rule, penalties and sanctions will not be applicable:
- 45 CFR 164.510(b) – Obtain a patient’s agreement to consult with family members or acquaintances involved in the patient’s treatment
- 45 CFR 164.510(a) – Honor requests to not be included in the facility directory.
- 45 CFR 164.520 – Issue/broadcast a notice of privacy processes.
- 45 CFR 164.522(a) – The patient’s right to seek privacy restrictions.
- 45 CFR 164.522(b) – The patient’s right to ask for confidential communications.
The partial waiver only applies to financial penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the specified emergency zone that have put in place their disaster protocol, and only for the time period defined in the public health emergency declaration.
The waiver applies for a maximum length of 72 hours after a hospital has begun its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates during this 72-hour time duration, the hospital must immediately comply with all required aspects of the HIPAA Privacy Rule for all patients it it treating.
In cases of emergency situations, the HIPAA Privacy Rule does permit the release of PHI for care purposes and with public health authorities that require access to PHI to complete their public health mission. HIPAA-covered organizations are also allowed to share data with family, friends, and others involved in an individual’s treatment, even if a partial waiver has not been issued. Further details of the allowable releases in emergency situation cases are included in the HHS HIPAA bulletin.
In all such cases, covered organization must restrict release to the minimum necessary information to achieve the purpose for which PHI is released.
Even when natural disasters are happening, healthcare groups and their business partners must continue to comply with the HIPAA Security Rule and must ensure proper administrative, physical, and technical security measures are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent illegal access and releases.