OCR grants limited HIPAA waiver to hospitals affected by Irma

In response to a declared public health emergency, the Department of Health and Human Services’ Office for Civil Rights has granted a limited waiver of HIPAA sanctions and penalties for hospitals in portions of Florida, Puerto Rico and the U.S. Virgin Islands affected by Hurricane Irma.

According to OCR, the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts to ensure patients receive needed medical care.

“While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act,” the OCR’s bulletin notes.

Representative Thomas "Tom" Price, a Republican from Georgia and chairman of the House Budget Committee, speaks during a news conference about the House Republicans' Fiscal Year 2016 budget proposal titled "A Balanced Budget for a Stronger America" with other members of the budget committee in Washington, D.C., U.S., on Tuesday, March 17, 2015. U.S. House Republicans propose to balance the federal budget in less than 10 years by cutting spending by $5.5 trillion without raising taxes, the chamber's budget committee chairman said Tuesday in an opinion article. Photographer: Andrew Harrer/Bloomberg *** Local Caption *** Tom Price

Also See: HHS makes Medicare data available to areas that could be hit by Irma

As a result, the HHS Secretary has “exercised the authority to waive sanctions and penalties against a covered hospital that does not comply” with several provisions of the HIPAA Privacy Rule, including requirements to:

• Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care

• Honor a request to opt out of the facility directory

• Distribute a notice of privacy practices

• Patient’s right to request privacy restrictions and to request confidential communications

At the same time, OCR notes in its bulletin that the limited waiver only applies to the following scenario: the emergency area and for the emergency period identified in the public health emergency declaration; hospitals that have instituted a disaster protocol; and for as much as 72 hours from the time the hospital implements its disaster protocol.

“When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol,” states the bulletin.

OCR also points out that in such emergency situations “covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.” In addition, the agency reminds covered entities and their business associates that they “must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”

Two weeks ago, HHS issued similar HIPAA waivers for providers affected by Hurricane Harvey.

For reprint and licensing requests for this article, click here.