OCR grants limited HIPAA waiver to hospitals affected by Irma
In response to a declared public health emergency, the Department of Health and Human Services’ Office for Civil Rights has granted a limited waiver of HIPAA sanctions and penalties for hospitals in portions of Florida, Puerto Rico and the U.S. Virgin Islands affected by Hurricane Irma.
According to OCR, the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts to ensure patients receive needed medical care.
“While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act,” the OCR’s bulletin notes.
As a result, the HHS Secretary has “exercised the authority to waive sanctions and penalties against a covered hospital that does not comply” with several provisions of the HIPAA Privacy Rule, including requirements to:
• Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
• Honor a request to opt out of the facility directory
• Distribute a notice of privacy practices
• Patient’s right to request privacy restrictions and to request confidential communications
At the same time, OCR notes in its bulletin that the limited waiver only applies to the following scenario: the emergency area and for the emergency period identified in the public health emergency declaration; hospitals that have instituted a disaster protocol; and for as much as 72 hours from the time the hospital implements its disaster protocol.
“When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol,” states the bulletin.
OCR also points out that in such emergency situations “covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.” In addition, the agency reminds covered entities and their business associates that they “must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
Two weeks ago, HHS issued similar HIPAA waivers for providers affected by Hurricane Harvey.