Hurricane Irma Results in Limited Waiver of HIPAA Privacy Rule

The United States government has announced a public health emergency in areas of the US Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. In response to this, the US Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule. 

A similar waiver was issued earlier this year in Texas and Louisiana after Hurricane Harvey. The limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

In their announcement, OCR has emphasised that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue comply with HIPAA Rules. However, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. It is hoped that by issuing the waiver will help disaster relief teams in providing care to their patients. 

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a period of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declares the public health emergency over, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care. Compliance must be ensured even if the 72-hour window has not yet ended.

In emergency situations, the HIPAA Privacy Rule allows for healthcare works to sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued.

HIPAA-covered entities must adhere to the “minimum necessary” rule; PHI disclosure must be limited disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.