As Hurricane Dorian moves up the East Coast, the Secretary of the Department of Health and Human Services (HHS), Alex Azar, has declared a public health emergency in Puerto Rico, and in the states of Florida, Georgia, and South Carolina. As part of the declaration of the Public Health Emergency (PHE), the Secretary has issued a limited HIPAA waiver that waives sanctions and penalties under certain provisions of the HIPAA Privacy Rule. Entities to whom the provisions apply must still comply with the rules – it is only the enforcement of rule’s compliance that is being waived.
When May the Secretary Issue a Limited HIPAA Waiver?
The Secretary may only exercise the limited HIPAA waiver authority if:
- The President declares an emergency or disaster; and
- The Secretary of HHS declares a public health emergency.
With respect to Hurricane Dorian, the President has declared an emergency or disaster, and the Secretary of HHS has declared a public health emergency. Therefore, the conditions that must be met for a limited HIPAA waiver have been met.
Once these conditions are met, the Secretary may waive sanctions and penalties against a covered entity that does not comply with certain provisions of the HIPAA Privacy Rule, which regulates the use and disclosure of patients’ protected health information (PHI). These provisions include:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of a covered entity’s facility directory
- The requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications
For the Hurricane Dorian public health emergency, the Secretary has waived sanctions and penalties against covered entities that do not comply with these above provisions. The limited HIPAA waiver only applies to Puerto Rico, and the states of Florida, Georgia, and South Carolina.
When and to What Entities Does the Waiver Apply?
The waiver applies:
- In the emergency area, and for the emergency period, identified in the public health emergency declaration; and
- To hospitals that have instituted a disaster protocol; for
- Up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the HIPAA Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.