Hurricane Maria Disaster Zone: Partial HIPAA Privacy Rule Waiver Issued by HHS
A third HIPAA waiver has been issued by the U.S. Department of Health and Human Services, following applying two earlier partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes previously in 2017. On this occasion the waiver is in relation to the Hurricane Maria disaster zone in Puerto Rico and the U.S. Virgin Islands.
As with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered bodies in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster procedures, and only for specific provisions of the HIPAA Privacy Rule:
- The requirements to receive a patient’s agreement to speak with family members or friends involved in the patient’s treatment. See 45 CFR 164.510(b).
- The requirement to respect a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to release an official notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to ask for privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to seek confidential communications. See 45 CFR 164.522(b)
As soon as the 72-hour period has ended, or as soon as the Presidential or Secretarial declaration terminates, the waiver does not apply and covered bodies must adhere with the above provisions of the Privacy Rule for all patients still under their care.
Further information on the HIPAA waiver in relation to Hurricane Maria can be downloaded here.
In the case of an emergency, a waiver of sanctions and fines for violations of limited provisions of the HIPAA Privacy Rule is not strictly required, although such a waiver does offer some reassurance to covered bodies that are working in a disaster area.
The HHS has said in its recent communication that in emergency situations, covered bodies are allowed to share limited protected health data of patients even if a waiver has not been released, when it is in the best interests of patients to do so, to help identify patients, to help find family members, and for public health activities. In the case of the latter, it is allowed to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of stopping or controlling disease, injury or disability.
PHI can also be shared to help aid treatment, either the treatment of the patient or another individual who may be affected by the same situation, as well as to assist with the coordination or management of healthcare, such as sharing PHI with other healthcare suppliers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)
PHI may be shared with anyone, as necessary, to avoid/prevent or minimize a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or stop the threatened harm. Such disclosures can be made without the patient’s expressed permission. It is left to the discretion of the covered body to make a ruling about the nature and severity of the threat to health – 45 CFR 164.512(j).
Disclosures can be made to family, friends, and other peoples involved in a patient’s care, and data may be given to help identify, locate, and notify family members, guardians, or others charged with responsibility for a patient’s care – 45 CFR 164.510(b).
When others not involved in the treatment of a patient, including the media, ask for information about a specific patient by name, a HIPAA-covered entity is allowed to release “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have departed the facility, provided the patient has not requested the information be kept from public release.
In all instances, any disclosures must be kept to the minimum necessary information to achieve the aim for which the information is released. At all times, even in cases of emergency, the HIPAA Security Rule requirements apply and covered bodies must continue to make sure administrative, physical, and technical safeguards are in place to maintain the confidentiality, integrity, and availability of PHI.