Californian Wildfires Result in HIPAA Waiver

Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires.

This waiver is like those issued following Hurricanes Irma and Maria. This limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol. Furthermore, the waiver only covers the 72 hours immediately following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care. This is regardless of whether the 72-hour period has passed.

Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule. Furthermore, the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:

• 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
• 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
• 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
• 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
• 45 CFR 164.522(b) – The patient’s right to request confidential communications.

In emergency situations, such as the recent wildfires and devastating hurricanes, the HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts. This is with the goal of ensuring patients receive the care they need, and is not seen as a breach of PHI integrity.

The CE may also disclose PHI with the purpose of providing treatment to patients, to coordinate patient care, or when referring patients to other healthcare providers in emergency situations.  Furthermore, HIPAA allows for PHI to be shared for public health activities to allow organizations to carry out their public health missions.

The covered entity can disclose this PHI to family members, friends, and other individuals involved in a patients’ care, as necessary. This is to identify, locate, or notify family members of the patient’s location, condition, or loss of life. In an emergency, these disclosures can be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.

In all cases of disclosing PHI, the ‘minimum necessary’ standard applies. Information should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed. If an excess of information is given, this is a breach of HIPAA legislation.