<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

HHS provides humane relief from HIPAA sanctions and penalties after a disaster

In the wake of a severe disaster and/ or a declared emergency, Health and Human Services (HHS) may decide to waive HIPAA sanctions and penalties against covered hospitals that may not comply with specific provisions of the HIPAA Privacy Rule.     This was done recently in the emergency areas after Hurricane Harvey hit in Texas and Louisiana.     A similar waiver may be issued after future disasters, as needed, when it becomes necessary to assist patients in receiving the care they need, and sometimes to locate missing family members.

It is important to note that this is a limited waiver – it only applies in the emergency area and for the emergency period identified in the public health emergency declaration.     In addition, the waiver only applies to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements its disaster protocol.

As per the Hurricane Harvey & HIPAA Bulletin, HHS also informs us that in these disaster circumstances, penalties were waived specifically for non-compliance with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b).

Even without a waiver, covered entities may share some patient information for the purpose of treating a patient, and also for public health reasons, for instance to a public authority such as the Centers for Disease Control (CDC).

To summarize, this disaster period HIPAA waiver is not a waiver of all HIPAA requirements.   It is a waiver of specific provisions as listed above.   It applies only to hospitals that have instituted and implemented a disaster protocol for strict timelines as described in HHS declarations. HHS, as a humane measure, provides this limited waiver of HIPAA sanctions and penalties to avoid unnecessary red tape during the aftermath of a disaster.

By Rema N. Deo.


24By7Security, Inc. is a premier National Cybersecurity and Compliance consulting firm. We are Cybersecurity & Compliance specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

Related posts

April 28, 2020
April 24, 2020
April 24, 2020

Comments are closed.

Cybersecurity on campus: Centers of Higher Education being targeted for Information Breaches
Patients' Right of Access - Get it, Check it, Use it
Subscribe to our Blog!