Partial Waiver of HIPAA Privacy Rule Penalties Issued Following Hurricane Harvey


The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area.

It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on patient care in the case of an emergency. However, in emergency situations such as Hurricane Harvey, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients can be treated in an efficient and safe manner, while ensuring that those caring for them are not fearful of incurring a penalty for violating HIPAA.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Furthermore, they are permitted to share limited PHI with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)) under certain circumstances.

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed, in accordance with the HIPAA Privacy Rule.

Despite these protocols for disasters already written into HIPAA legislation, natural disasters often call for a relaxation of HIPAA Rules. The Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, the Office of Civil Rights (OCR) issued a waiver for certain requirements of HIPAA Rules. This act was repeated in during the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.
Within the past week, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations for hospitals in Texas and Louisiana in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:
• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers are only applicable to hospitals in the emergency areas that have been identified in the public health emergency declaration. Furthermore, the waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.