Declaration of Limited HIPAA Waiver in Puerto Rico, Florida, Georgia and South Carolina Due to Hurricane Dorian


The Secretary of the Department of Health and Human Services (HHS), Alex Azar, has made an announcement placing Puerto Rico and the states of Georgia, Florida, and South Carolina in a public health emergency (PHE) because of Hurricane Dorian.

The announcement of the presidential PHE in the previously mentioned areas was made while the states get ready for the landfall o the hurricane. The statement was complemented by the declaration of a limited waiver of HIPAA sanctions and penalties for selected provisions in the HIPAA Privacy Rule, as required by the Social Security Act’s Project Bioshield Act of 2004. The waiver is only applicable during the covered time period of the PHE in the areas declared to be in PHE.

The waiver is applicable to hospitals that have carried out their standard disaster protocol for up to 72 hours since the implementation of the protocol, except if the PHE declaration is terminated prior to the 72-hour period.

When the PHE concludes, hospitals need to comply with all HIPAA Privacy Rule requirements with regards to patient care, including for those patients who came under hospital care when the PHE comes to an end. The HHS remarks that while in a PHE, the HIPAA Privacy and Security Rules requirements continue to be in place.

Even without a HIPAA waiver, the HIPAA Privacy Rule allows the disclosure of patient data to friends, family, public health officers, and emergency staff. Entities are allowed to share patient data for reasons related to giving treatment, public health activities, and prevention of a serious public health or safety threat. Patient information can likewise be discussed with patients’ friends, family members and other people engaged in their care to make sure they are provided proper care and treatment.

The HHS will waive HIPAA sanctions and penalties for the provisions of the HIPAA Privacy Rule listed below during a PHE:

  • The need to acquire a patient’s consent to speak with loved ones or friends engaged in the care of the patient. See 45 CFR 164.510(b).
  • The need to honor a request to be delisted from the facility directory. See 45 CFR 164.510(a).
  • The need to provide a notice of privacy practices. See 45 CFR 164.520.
  • The right of a patient to ask for privacy restrictions. See 45 CFR 164.522(a).
  • The right of a patient to ask for private communications. See 45 CFR 164.522(b).

For additional information concerning the waiver and HIPAA privacy and disclosures of PHI during times of emergency situations, visit this link.