Secretary of HHS Announces Limited HIPAA Waiver due to Hurricane Dorian

The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.

On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019.

Secretary Azar’s announcement comes as the US mainland prepares for Hurricane Dorian to make landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for specific provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act.

The waiver only applies in the emergency areas and for the period covered by the public health emergency.

The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented unless the public health emergency declaration terminates before those 72 hours have elapsed.

One the emergency terminates, hospitals are required to comply with all requirements of the HIPAA Privacy Rule for all patients. This provision also applies to patients still under the care of the hospital when the emergency ends.

The HHS notes that during a public health emergency, the requirements of the HIPAA Privacy and Security Rules remain in place.

Even in the absence of a HIPAA waiver, the HIPAA Privacy Rule permits the sharing of patient information with friends, family, public health officials, and emergency personnel. HIPAA covered entities (CEs) can share patient information to provide treatment, for public health activities, and to lessen a serious threat to public health or safety.

CEs can also share information with patients’ friends, family and other individuals involved in their care to ensure that proper care and treatment can be provided.

Under the terms of the HIPAA waiver, the HHS agrees to waive HIPAA sanctions and penalties for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Further information on the waiver and HIPAA privacy and disclosures of PHI in emergency situations can be found on the following link: https://www.hhs.gov/sites/default/files/hurricane-dorian-hipaa-bulletin.pdf

HIPAA Violation Penalties

Most Common HIPAA Violations Causes