OCR Pubishes Guidance on Patient Data Sharing During a Public Health Emergency

Following President Trump’s declaration of a public health emergency in Virginia due to Hurricane Florence, Alex Azar, Secretary of the U.S. Department of Health and Human Services declared a Public Health Emergency in South Carolina, North Carolina and Virginia.

With the declaration comes easing of certain HIPAA restrictions to assist beneficiaries of the Centers for Medicare & Medicaid Services’ (CMS) and their healthcare provider in preparing for hurricane Florence. It will permit these organizations to have more freedom to meet emergency health needs.

During public health emergencies, healthcare providers may have difficulty complying with all the HIPAA Privacy Rule requirements. The HIPAA Privacy Rule remains in effect during emergencies such as hurricanes. However, the declaration of a Public Health Emergency means certain provisions of the Privacy Rule are eased under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

Sanctions and penalties charges have been waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – Obtaining a patient’s permission prior to communicating with family, friends and others directly involved with the patient’s care
  • 45 CFR 164.510(a) – The requirement to comply with requests to opt out of the facility directory
  • 45 CFR 164.520 – The distribution of a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Penalties and sanctions have not been waived for any other HIPAA Privacy Rule provisions, nor for any of the requirements of the HIPAA Security Rule.

HIPAA-covered entities should note that the waiver only applies to areas covered by the public health emergency declaration, and only for the time frame of the declaration. In order for the waiver to apply, a hospital must have initiated its disaster protocol and the waiver only lasts for 72 hours following the declaration of a health emergency.

When the declaration ends, the waiver similarly ends, even for patients still under the care of the hospital and even if the 72 hour time period following the declaration has not elapsed.

Following Secretary Azar’s declaration, the HHS’ Office for Civil Rights published guidance to help healthcare organizations determine what constitutes appropriate sharing of health information during emergencies and an Emergency Preparedness Decision Tool.

The guidance can be found on this link: https://www.hhs.gov/sites/default/files/2018-hurricane-florence-hipaa-bulletin-update.pdf