Hurricane Harvey & Irma's Impact on Certain Provisions of the HIPAA Privacy Rule
The HHS Office of Civil Rights (OCR) recently announced that Secretary Tom Price, M.D., declared a public health emergency in Texas, Louisiana, and Florida and has exercised the authority to waive sanctions and penalties against a Texas, Louisiana or Florida covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient's right to request privacy restrictions
- The patient's right to request confidential communications
OCR goes on to say that this type of waiver only applies:
- in the emergency area and for the emergency period identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol;
- with respect to the provisions identified above; and
- for up to 72 hours from the time the hospital implements its disaster protocol.
It's important to note that other provisions of the Privacy Rule continue to apply, even during the waiver period. Additionally, all HIPAA Security Rule provisions and Breach Notification Rule requirements remain in effect.
Once the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
OCR does provide an interactive decision tool on it's website to assist with emergency preparedness and recovery planners in determining how to gain access to and use PHI in regards to the HIPAA Privacy Rule. This tool is beneficial in helping users find out how the HIPAA Privacy Rule relates to their medical practice.
For more information about sharing patient information under the privacy rule in emergency situations, refer to recent HHS information about disaster recovery: