HHS Announces Limited Waiver of HIPAA Fines and Sanctions in in Texas Due to Winter Storm

Norris Cochran, the Acting Secretary of the Department of Health and Human Services, has declared a public health emergency exists in the state of Texas due to the consequences of the winter storm and has exercised the right to waive sanctions and penalties for certain violations of the HIPAA Privacy Rule.

In emergency situations, it is still necessary to comply with the HIPAA Privacy, Security, and Breach Notification Rules. In emergency situations, the HIPAA Privacy Rule permits uses and disclosures of patient information for treatment, payment, and healthcare operations, including sharing patient information with public health authorities for ensuring public health and safety. Disclosures are also permitted to family, friends, and others involved in an individual’s care, and patient information can be shared to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.

The HIPAA waiver applies to cases of noncompliance with specific requirements of the HIPAA Privacy Rule for covered hospitals in the emergency area, and only for the period of the public health emergency declaration. The waiver only covers hospitals that have implemented their disaster protocol and only for up to 72 hours from the time the disaster protocol is implemented. When either the presidential or secretarial public health emergency terminates, hospitals must then comply with all requirements of the HIPAA Privacy Rule, even for patients still in their care and if the 72-hour time period has not yet elapsed.

The HIPAA waiver only applies to the following HIPAA Privacy Rule requirements:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care, as detailed in 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory, as detailed in 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices, as detailed in 45 CFR 164.520.
  • The patient’s right to request privacy restrictions, as detailed in 45 CFR 164.522(a).
  • The patient’s right to request confidential communications, as detailed in 45 CFR 164.522(b).

No other HIPAA Privacy Rule requirements are covered by the HIPAA waiver, and even in emergency situations, compliance with the HIPAA Security Rule must continue.

The waiver is effective from February 19, 2021 and retroactive to February 11, 2021.