HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations for hospitals in Texas and Louisiana in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.