OCR Pubishes Guidance on Patient Data Sharing During a Public Health Emergency

Following President Trump’s declaration of a public health emergency in Virginia due to Hurricane Florence, Alex Azar, Secretary of the U.S. Department of Health and Human Services declared a Public Health Emergency in South Carolina, North Carolina and Virginia.

With the declaration comes easing of certain HIPAA restrictions to assist beneficiaries of the Centers for Medicare & Medicaid Services’ (CMS) and their healthcare provider in preparing for hurricane Florence. It will permit these organizations to have more freedom to meet emergency health needs.

During public health emergencies, healthcare providers may have difficulty complying with all the HIPAA Privacy Rule requirements. The HIPAA Privacy Rule remains in effect during emergencies such as hurricanes. However, the declaration of a Public Health Emergency means certain provisions of the Privacy Rule are eased under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

Sanctions and penalties charges have been waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – Obtaining a patient’s permission prior to communicating with family, friends and others directly involved with the patient’s care
  • 45 CFR 164.510(a) – The requirement to comply with requests to opt out of the facility directory
  • 45 CFR 164.520 – The distribution of a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Penalties and sanctions have not been waived for any other HIPAA Privacy Rule provisions, nor for any of the requirements of the HIPAA Security Rule.

HIPAA-covered entities should note that the waiver only applies to areas covered by the public health emergency declaration, and only for the time frame of the declaration. In order for the waiver to apply, a hospital must have initiated its disaster protocol and the waiver only lasts for 72 hours following the declaration of a health emergency.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

When the declaration ends, the waiver similarly ends, even for patients still under the care of the hospital and even if the 72 hour time period following the declaration has not elapsed.

Following Secretary Azar’s declaration, the HHS’ Office for Civil Rights published guidance to help healthcare organizations determine what constitutes appropriate sharing of health information during emergencies and an Emergency Preparedness Decision Tool.

The guidance can be found on this link: https://www.hhs.gov/sites/default/files/2018-hurricane-florence-hipaa-bulletin-update.pdf

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/