HHS Declares in Hurricane Harvey Disaster Zone the Partial Waiver of Sanctions and Penalties for HIPAA Privacy Rule Violations

During emergency situations for example natural disasters, HIPAA Privacy Rule compliance can be a difficult task for hospitals and could likely have a bad effect on patient care and catastrophe relief campaigns.

In crisis situations, the HIPAA Rules still continue to apply. As per the HIPAA Privacy Rule, patient data may be shared to assist with disaster relief work and make sure that patients receive the proper care they need.

Under the Privacy Rule, covered entities may share patient data for treatment reasons, for activities involving public health, to make known patient data to family members, friends and other people engaged in the care of patients, to avert or reduce a serious and impending threat to the wellness and protection of an individual or the general public. With specific situations, the HIPAA privacy rule permits covered entities to share some data with the press and other people not engaged in the care of patients (45 CFR 164.510(a)).

In such instances, disclosures need to be restricted to the least required information to achieve the goal for which the data is being shared. Nevertheless, disasters frequently necessitate a relaxation of the HIPAA Rules. The Secretary of the Department of Health and Human may decide to waive selected terms of the HIPAA Privacy Rule according to the Project Bioshield Act of 2004 (PL 108-276) as well as section 1135(b)(7) of the Social Security Act.

At the time of the Ebola crisis last November 2014, OCR released a waiver for selected specifications of HIPAA Rules, like the case immediately after Hurricane Katrina when OCR issued a waiver for particular Privacy Rule terms.

Yesterday, HHS Secretary Tom Price made an announcement that OCR is going to waive sanctions as well as financial fines for certain violations of Privacy Rule for hospitals in Louisiana and Texas in the area affected Hurricane Harvey.

The waiver is applicable only to the conditions of the HIPAA Privacy Rule as specified here:

  • 45 CFR 164.510(b) – The prerequisite to acquire a patient’s permission to talk with members of the family or friends engaged in the care of patients.
  • 45 CFR 164.510(a) – The prerequisite to honor a request to not be included in the facility directory.
  • 45 CFR 164.520 – The prerequisite to send out a notification of privacy practices.
  • 45 CFR 164.522(a) – The right of patients to request privacy limitations.
  • 45 CFR 164.522(b) – The right of patients to request private communications.

These waivers just apply to healthcare providers in the emergency locations which were recognized in the public health emergency proclamation.

The waiver simply applies in case hospitals have implemented a disaster protocol and the waiver is applicable for 72 hours from the time the disaster protocol was implemented. The waiver will likewise just apply right until the Presidential or Secretarial declaration ends, regardless if the 72 hours hasn’t passed.

More information about the limited waiver of HIPAA sanctions and penalties because of Hurricane Harvey is available here.