Limited Waiver of HIPAA Sanctions issues by HSS in aftermath of Californian Wildfires

HIPAA

A limited waiver of HIPAA sanctions and penalties was issued by the Secretary of the U.S. Department of Health and Human Services in the wake of the recent wildfires in California. The limited HIPAA waiver was made public following the presidential declaration, due to the wildfires, of a public health emergency in northern California

Similar to the HIPAA waivers announced after Hurricane Irma and Hurricane Maria, the limited waiver of sanctions is only applicable when healthcare groups/organizations have begun adapting their disaster protocol measures, and even then only for a time period of a maximum of 72 hours following the implementation of that protocol. Should the public health emergency be declared over, healthcare organizations must then adhere with all stipulations of the HIPAA Privacy Rule for all patients being treated by them, even if the 72-hour period has not elapsed.

Whenever a limited waiver of HIPAA sanctions and penalties is issued by the HHS, healthcare providers must still adhere to the stipulations of the HIPAA Security Rule and the Privacy Rule is not put on hold.  The HHS simply exercises the authority given to it by the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not apply sanctions or penalties against healthcare providers for the following stipulations of the HIPAA Privacy Rule:

  • 45 CFR 164.510(b) – The requirements to receive a patient’s agreement to talk with family members or friends involved in the patient’s treatment.
  • 45 CFR 164.510(a) – The requirement to respect a preference to opt out of the facility directory.
  • 45 CFR 164.520 – The requirement to publish and share a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to prefer, and ask for, privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to seek to have confidential communications only.

Even in cases of emergency and natural disasters, the HIPAA Privacy Rule permits HIPAA-covered groups to distribute patients’ PHI to help in disaster relief efforts and to help ensure patients receive the care they need.

PHI may also be shared for the purpose of providing emergency treatment to patients, in order to effectively coordinate patient care, or when sending patients to other healthcare treatment providers.  PHI can be distributed for public health activities to allow groups to complete their public health missions. Disclosures can be made to members of family, friends and other people involved in a patients’ treatment, as necessary, to identify, find or alert notify family members of the patient’s location, condition or possible death. Disclosures can be made to anyone, as necessary, to stop or minimize a serious injury and disclosures can be shared to the media regarding a patient’s general health status and limited facility directory information can also be disclosed for a named person being treated, providing the patient has not objected to such a release of private information.

In all scenarios, the ‘minimum necessary’ standard must be respected. Information sharing should be kept to the minimum required information to achieve the specific goal for which it is shared.