HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires.

During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule.

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Sanctions and penalties for noncompliance with the above provisions of the HIPAA Privacy Rule have only been waived for hospitals in the emergency areas and only for the time period stated in the public health emergency declarations.

The waivers only apply to hospitals that have instituted their disaster protocol, and only for up to 72 hours from the time the disaster protocol is instituted.  Once either the Presidential or Secretarial declaration terminates, the HIPAA waivers will no longer be in effect and hospitals must then ensure they comply with all provisions of the HIPAA Privacy Rule. That applies even if the 72 hour period has not elapsed.

During public health emergencies, the HIPAA Privacy Rule allows patient information to be shared for treatment, payment, and healthcare operations.

Patient information can also be shared for public health activities to allow public health authorities to carry out their public health mission. Patient information can be shared with a public health authority such as the Centers for Disease Control and Prevention for the purpose of preventing or controlling disease, injury or disability.

The HIPAA Privacy Rule also permits the sharing of patient information at the direction of a public health authority to a foreign government agency and to persons at risk of contracting or spreading a disease or condition if permitted by other laws, which authorize a covered entity to notify such persons to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Disclosures can also be made to family members, friends, and others involved in an individual’s care and for notification, and healthcare providers may disclose patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law, and the provider’s standards of ethical conduct.

Limited disclosures to the media and others not involved in the care of a patient are permitted, if a request is received and the name of the patient is provided, but should be restricted to limited facility directory information to acknowledge an individual is a patient at the facility and basic information about the status of the patient (e.g., critical or stable, deceased, or treated and released).

In all cases, the minimum necessary rule applies. Disclosures should be restricted to the minimum amount of information necessary to achieve the purpose for which the information is being disclosed.

Public Health Emergency Declarations

Louisiana and Texas PHE

California PHE

HIPAA Waivers

HIPAA Bulletin Louisiana and Texas

HIPAA Bulletin California

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.