HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands.
As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b)
As soon as the 72-hour period has elapsed, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care.
Further information on the HIPAA waiver in relation to Hurricane Maria can be viewed here.
In an emergency situation, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly necessary, although such a waiver does offer some reassurance to covered entities that are operating in a disaster area.
The HHS has pointed out in its recent communication that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help identify patients, to help locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or controlling disease, injury or disability.
PHI can also be shared for the purposes of treatment, either the treatment of the patient or another person who may be affected by the same situation, as well as to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)
PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to make a determination about the nature and severity of the threat to health – 45 CFR 164.512(j).
Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).
When others not involved in the treatment of a patient, including the media, request information about a specific patient by name, a HIPAA-covered entity is permitted to disclose “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private.
In all cases, any disclosures must be limited to the minimum necessary information to achieve the purpose for which the information is disclosed. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.