Hurricane Maria Disaster Zone Has Partial HIPAA Privacy Rule Waiver Imposed

The U.S. Department of Health and Human Services (HHS) has already imposed two partial waivers of HIPAA sanctions and penalties in regions subjected to hurricane weather in 2017 year. Now another partial waiver has been imposed, this time in the threatened Hurricane Maria disaster area surrounding Puerto Rico and the U.S. Virgin Islands.

Similar to the waivers imposed at the time of Hurricane Harvey and Hurricane Irma, the waiver only applies to covered organization in regions where a public health emergency has been officially established, only for 72 hours following the implementation of the hospital’s disaster protocol and only for the stipulated provisions of the HIPAA Privacy Rule as follows:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• The requirement to honor a preference for non-inclusion in the facility directory. See 45 CFR 164.510(a).
• The obligation to send out a notice of privacy practices. See 45 CFR 164.520.
• The patient’s right to have privacy restrictions put in place. See 45 CFR 164.522(a).
• The patient’s right to have only confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has ended, or as soon as the Presidential or Secretarial declaration comes to a close, the waiver ceases to be applicable and covered entities must comply with the above, and all other, provisions of the Privacy Rule for all patients they are treating.

In cases of emergency, a partial waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not necessarily needed, although such a waiver does give some reassurance to covered groups that are providing care in a disaster area.

The HHS has established, in its recent communication, that in emergency situations covered entities can legally to share limited protected health information of patients even if a waiver has not been applied in that region when:

1. It is in the best interests of patients to do so
2. to help identify patients
3. To help locate family members
4. for public health activities.

In the case of the latter, it is allowable to share PHI with public health bodies such as a state or local health department or the CDC with the aim of stopping or controlling disease, injury or disability.

PHI can also be shared with the aim of providing treatment, either the treatment of the patient or another individual who may be affected in the same instance, as well as to help with the provision or management of healthcare, such as distributing PHI to other healthcare providers or when sending patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be distributed to anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of an individual or the public., if that person is in a position to lessen or stop the threatened harm. Such disclosures can be made without the patient’s stated permission. It is left to the discretion of the covered group to decide regarding the nature and severity of the risk to health – 45 CFR 164.512(j).

Disclosures can be shared with family, friends, and other people involved in a patient’s treatment, and information can be distributed to help identify, locate, and notify family members, guardians, or others responsible for a patient’s treatment – 45 CFR 164.510(b).

When other people not participating in the treatment of an individualt, including the media, ask for information about a specific patient by name, a HIPAA-covered entity is permitted to distribute “limited facility directory information” and provide general information about the patient such as their current condition, are dead, or have been treated and have left the health facility, provided the patient has not asked for the information be kept private.

In all scenarios, any disclosures must be kept to the minimum necessary data to achieve the aim for which the information is distributed. In all instances, even in cases of emergency, the HIPAA Security Rule requirements apply and covered groups must persist with ensuring administrative, physical and technical safeguards are maintained to preserve the confidentiality, integrity and availability of PHI.