Limited Waiver of HIPAA Penalties in Florida and Georgia in Aftermath of Hurricane Michael

Alex Azar, secretary of the Department of Health and Human Services (HHS) has waived HIPAA sanctions and penalties for some provisions of the HIPAA Privacy Rule in the states of Florida and Georgia after the presidential declaration of public health emergencies in the two states due to hurricane Michael. The public health emergency was announced in Florida on October 9 and in Georgia on October 11.

During natural disasters, the HIPAA Privacy Rule permits healthcare providers to share protected health information (PHI) to ensure that patients receive the healthcare they require. Information may be shared with friends, members of the family, and other persons directly responsible for the care of a patient. The HIPAA Privacy Rule permits the disclosure of PHI for purposes related to public health activities that serve to prevent or reduce serious and impending risks to health or security. HIPAA-covered entities are likewise allowed to disclose data to disaster relief agencies that have been authorized by law to support disaster relief campaigns, without the need to obtain permission from patients.

During natural disasters, the HIPAA Privacy and Security Rules continue to be in force; however, with a secretarial declaration, sanctions and penalties for the following HIPAA Privacy Rule provisions are waived:

  • 45 CFR 164.510(b) – Obtaining a patient’s permission to speak to members of the family or friends engaged in their care.
  • 45 CFR164.510(a) – Honoring a request not be included in the facility directory.
  • 45 CFR 164.520 – Distribution of notices of privacy practices.
  • 45 CFR 164.522(a) – Honoring the patient’s request for privacy restrictions.
  • 45 CFR 164.522(b) – Honoring the patient’s request to confidential communications.

The waiver of sanctions and penalties is not applicable to all hospitals, only to qualifying hospitals located within the emergency area for the duration specified in the public health emergency announcement that have implemented their disaster protocol. The waiver is in effect up to 72 hours and is terminated when the 72-hour period has elapsed or when the public health emergency declaration terminates, even if patients are still under hospital care.

According to the HHS, over 400 medical and public health staff members had gone into the disaster areas to provide assistance and medical equipment has also been provided in Florida and Georgia. Another 300 healthcare professionals from the U.S. Public Health Service Commissioned Corps and the National Disaster Medical Systems have been placed on alert. The HHS teams will help provide medical services in shelters, give behavioral support to locals and responders, participate in disease surveillance, and will help evaluate whether further federal medical and health support is needed in the disaster zones.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: