HIPAA Alert: Ensure Availability & Security of Patient Health Info During & After Natural Disasters

A timely HIPAA reminder from the Department of Health & Human Services (HHS) following Hurricane Irma, the most intense Atlantic hurricane to strike the U.S. since Katrina in 2005:

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. In addition, while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

Limited Waiver of HIPAA Sanctions & Penalites During a Declared Emergency

The HHS Office of Civil Rights has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

• 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
• 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
• 45 CFR 164.520 – Distribute a notice of privacy practices.
• 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
• 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS "Hurricane Irma & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Declared Emergency.  

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Sources: hhs.gov/hipaa; hhs.gov/ocr

Questions About HIPAA?

Contact HIPAA Privacy Officer Zorana Vojnovic at (402) 354-6863 or @email.