The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver comes as a response to the presidential declaration of a public health emergency in northern California due to the wildfires. It is hoped that the waiver will allow for the more efficient handling of patients during the emergency.
Waivers of a similar nature were issued after Hurricanes Irma and Maria. The limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol. The waiver will only cover a 72 hour time period immediately following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care. Compliance must be ensured even if the 72-hour window has not yet ended.
Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended. The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:
- 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
- 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
- 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
- 45 CFR 164.522(b) – The patient’s right to request confidential communications.
The HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts and to help ensure patients receive the care they need. This applies even in emergency situations such as the Californian wildfires.
HIPAA-covered entities may also disclose PHI for the purpose of providing treatment to patients, in order to coordination patient care, or when referring patients to other healthcare providers. PHI can be shared for public health activities to allow organizations to carry out their public health missions. PHI may be disclosed to family members, friends, and other individuals involved in a patients’ care, as necessary, to identify, locate, or notify family members of the patient’s location, condition, or loss of life.
Outside of those close to the patient, HIPAA allows for disclosures to be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.
When information is shared, the amount shared should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed. This is termed the “minimum necessary” rule, and is designed to ensure that even when patient information is shared, the patient’s privacy is still protected.