With a few more weeks left in the hurricane season, it may be a good time to review HIPAA Privacy Rule protocols in emergency situations.

Lesson 1: HHS issues Bulletins related to disasters and emergency situations. 

This year, the Department of Health and Human Services (HHS) has issued three bulletins (the Bulletins) related to the three hurricanes, Harvey, Irma, and Maria. In these Bulletins, HHS provides that in times of severe disasters, questions often arise about what information may be shared and with whom, including with friends and family, public health officials, and emergency personnel. In the Bulletins, HHS reminded applicable entities that the HIPAA Privacy rule does allow patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need.

Lesson 2: Certain provisions of HIPAA can be waived by the HHS Secretary. 

If the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the Privacy Rule.

During Harvey, Irma, and Maria, the HHS Secretary did in fact declare a public health emergency in the affected areas (for Harvey – Texas and Louisiana; for Irma – Florida, Puerto Rico, and the U.S. Virgin Islands; for Maria – Puerto Rico and the U.S. Virgin Islands) and exercised the authority to waive these following provisions of HIPAA:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 C.F.R. 164.501(b));
  • The requirement to honor a request to opt out of the facility directory (45 C.F.R. 164.510(b));
  • The requirement to distribute a notice of privacy practices (45 C.F.R. 164.520)
  • The patient’s right to request privacy restrictions (45 C.F.R. 164.522(a)); and
  • The patient’s right to request confidential communications (45 C.F.R. 164.522(b)).

As you can see, much of the provisions that were waived relates to a health provider’s ability to efficiently provide care and notice to family and friends regarding the patient’s care.

Lesson 3: HIPAA waivers have its limitations. 

It is important to note, that the waivers discussed above only apply to the emergency area and for the emergency period identified in the public health emergency declaration. The waivers are only applicable to hospitals that have instituted a disaster protocol and for up 72 hours from the time the hospital implements its disaster protocol. If the public health emergency declaration terminates, then hospitals must begin complying with all requirements of the Privacy Rule for all patients under its care, even if 72 hours has not elapsed since the implementation of the disaster protocol.

It may be helpful for providers to keep in mind that the HIPAA Privacy Rule may be relaxed during times of emergency, as we saw during this hurricane season. In the event the HHS Secretary waives certain provisions of HIPAA, the emergency declaration bulletins can be accessed here. If you have any questions regarding the HIPAA Privacy Rule during times of an emergency, please contact one of the healthcare privacy attorneys.