The U.S. Department of Health and Human Services issued a partial waiver of HIPAA sanctions and penalties for the third time this year. The waiver was issued in the areas of Puerto Rico and the U.S. Virgin Islands because of Hurricane Maria. The waiver is applicable to covered entities in the area where the government declared a public health emergency. It is in effect just for 72 hours after the hospital implemented disaster protocols. The following provisions of the HIPAA Privacy Rule are waived:
- The requirements to get a patient’s consent to speak with family members or friends taking care of the patient. See 45 CFR 164.510(b).
- The requirement to grant a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to send a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to ask for privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b)
When the 72-hour period or when the Presidential or Secretarial declaration is over, the waiver no longer applies to covered entities. Healthcare providers must comply with all HIPAA provisions with respect to patient care.
According to HHS, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly required during emergency situations. It has been recently communicated that covered entities can share limited PHI even without the waiver when:
- It is for the patients’ best interests
- It can help identify patients or find the patients’ family
- It helps public health authorities e.g. the state or local health department and CDC to prevent or control disease, disability and injury.
- It helps coordinate or manage healthcare such as when referring patients for treatment during the emergency situation.
PHI may be shared to anybody when needed for the purpose of lessening serious or imminent threat to a person’s health or public safety. In such disclosures, it is not required to get the patients’ permission and the covered entity can make the decision depending on the nature and severity of the threat.
When entities not involved in patient care, such as the media, are asking for information, a HIPAA-covered entity may disclose “limited facility directory information” and other general information such as the patients’ critical or stable condition, death or treatment before leaving the facility.
The information mentioned above may be shared unless the patient specifically instructed not to do so. The HIPAA Security Rule protects the confidentiality, integrity and availability of patients’ PHI at all times. So, if necessary, sharing must be limited to the minimum information necessary to achieve the purpose of disclosure. Covered entities must always put in place administrative, technical and physical safeguards to ensure PHI preservation.