HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia
Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of Hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas.
The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11.
The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.
During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA-covered entities have been waived for the following provisions of the HIPAA Privacy Rule:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver only applies to qualifying hospitals in the emergency area for the period identified in the public health emergency declaration. Qualifying hospitals are permitted to take advantage of the waiver for up to 72 hours, provided their disaster protocol has been implemented.
The waiver is only in place for the 72-hour period or the duration of the public health emergency declaration, whichever terminates sooner. Once the 72-hour time period is over or the presidential or secretarial declaration terminates, the waiver ends, even for patients still under a hospital’s care.
“We are working closely with state health authorities and private sector partners from hospitals and other healthcare facilities to save lives and protect public health after Hurricane Michael,” said Secretary Azar. The declarations will help to ensure that residents in both states have continuous access to the care they need.”
The HHS has said more than 400 medical and public health personnel have been moved into the disaster areas along with caches of medical equipment and a further 300 personnel from the National Disaster Medical Systems and the U.S. Public Health Service Commissioned Corps have been placed on alert. HHS teams will be providing medical services in shelters, assisting with disease surveillance, offering behavioral support to residents and responders, and will be helping to assess whether further federal medical and health support is required in the disaster areas.
