Following the President’s declaration of a state of emergency, the Secretary of the U.S. Department of Health and Human Services has also declared a Public Health Emergency that eases certain HIPAA restrictions in Virginia, North Carolina, and South Carolina with HIPAA waivers. In emergency situations such as this one, the HIPAA Privacy Rule still applies. The DHHS declaration of a Public Health Emergency means relaxation of certain provisions of the Privacy Rule. During the period of the Public Health Emergency, HIPAA waivers mean that sanctions and penalties against health care providers are waived for the following provisions of the HIPAA Privacy Rule:
- The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care. 45 C.F.R. § 164.510(b).
- The requirement to honor requests to opt out of the facility directory. 45 C.F.R. § 164.510(a).
- The requirement to distribute a notice of privacy practices. 45 C.F.R. § 164.520
- The patient’s right to request privacy restrictions. 45 C.F.R. § 164.522(a)
- The patient’s right to request confidential communications. 45 C.F.R. § 164.522(b).
The declaration does not waive sanctions and penalties for health care organizations for all other requirements of the HIPAA Privacy, Security, and Breach Notification Rules.
The waiver exists only in the areas covered by the Public Health Emergency declaration for the period identified in the declaration and only when hospitals have initiated their disaster protocols. The waiver only lasts for 72 hours following the declaration of the emergency. When the Presidential or Secretarial declaration terminates, the waiver no longer applies, even to those patients still in the care of a hospital and even if the 72-hour time period has not elapsed.
The DHHS Office for Civil Rights has responded to the declaration by issuing guidance on appropriate sharing of health information in emergency situations, confirming how the HIPAA Privacy Rule applies to health care providers in the disaster emergency zone with these HIPAA waivers.
OCR has also made a decision tool available to help health care providers determine how the HIPAA Privacy Rule applies. See https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/decision-tool-overview/index.html.