A public health crisis was declared in some parts of the U.S. Virgin Islands, Florida and Puerto Rico, which were hit by Hurricane Irma. Like the situation in Louisiana and Texas after Hurricane Harvey, a limited waiver of HIPAA Privacy Rule sanctions and fines for hospitals impacted by Irma was announced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
OCR emphasized that the HIPAA Privacy and Security Rules were not revoked and covered entities should still follow HIPAA Rules; nevertheless, certain conditions of the Privacy Rule were waived under Section 1135(b) of the Social Security Act and the Project Bioshield Act of 2014.
In case of a disaster, the penalties and sanctions would be waived if a hospital around a disaster zone doesn’t adhere to the subsequent elements of the HIPAA Privacy Rule:
- Get a patient’s consent to talk with family members or friends in charge of the patient’s care – 45 CFR 164.510(b)
- Accept requests to choose not to be included in the facility directory – 45 CFR 164.510(a)
- Deliver a notice of privacy practices – 45 CFR 164.520
- The right of the patient to ask for privacy limitations – 45 CFR 164.522(a)
- The right of the patient to ask for confidential communications – 45 CFR 164.522(b)
The waiver is only applicable to penalties and sanctions relating to the provisions of the HIPAA Privacy Rule mentioned above, exclusively to hospitals located in the emergency area which have carried out their disaster protocol, and just for the period of time set in the public health emergency announcement.
The waiver is applicable for no more than 72 hours after a medical center carried out its emergency protocol. Should the President’s or HHS Secretary’s declaration ends within 72-hours, the hospital should instantly adhere to all conditions of the HIPAA Privacy Rule regarding all patients within its care.
In emergency cases, the HIPAA Privacy Rule allow the sharing of PHI for purposes of treatment and with public health authorities that need PHI access in order to perform their public health duties. HIPAA-covered entities are likewise allowed to disclose information to family, friends, or other people concerned in a person’s treatment, even though a waiver hasn’t been released. More details of the permitted uses in emergency scenarios are explained in the HHS HIPAA announcement <https://www.hhs.gov/sites/default/files/hurricane-irma-hipaa-bulletin.pdf>.
For all cases, covered entities should restrict disclosures to the minimum required information to accomplish the purpose for disclosing the PHI. Even with natural disasters, healthcare agencies and their business associates need to adhere to the HIPAA Security Rule and must be sure proper physical, administrative and technical safety measures are kept to guarantee the privacy, integrity, and accessibility of electronic PHI to avoid access and disclosures to unauthorized persons.