<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
SCHEDULE A CALL
SCHEDULE A CALL
Show all

HHS provides humane relief from HIPAA sanctions and penalties after a disaster

September, 5 2017
canstockphoto27696852-disasterrecovery

In the wake of a severe disaster and/ or a declared emergency, Health and Human Services (HHS) may decide to waive HIPAA sanctions and penalties against covered hospitals that may not comply with specific provisions of the HIPAA Privacy Rule.     This was done recently in the emergency areas after Hurricane Harvey hit in Texas and Louisiana.     A similar waiver may be issued after future disasters, as needed, when it becomes necessary to assist patients in receiving the care they need, and sometimes to locate missing family members.

It is important to note that this is a limited waiver – it only applies in the emergency area and for the emergency period identified in the public health emergency declaration.     In addition, the waiver only applies to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements its disaster protocol.

As per the Hurricane Harvey & HIPAA Bulletin, HHS also informs us that in these disaster circumstances, penalties were waived specifically for non-compliance with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b).

Even without a waiver, covered entities may share some patient information for the purpose of treating a patient, and also for public health reasons, for instance to a public authority such as the Centers for Disease Control (CDC).

To summarize, this disaster period HIPAA waiver is not a waiver of all HIPAA requirements.   It is a waiver of specific provisions as listed above.   It applies only to hospitals that have instituted and implemented a disaster protocol for strict timelines as described in HHS declarations. HHS, as a humane measure, provides this limited waiver of HIPAA sanctions and penalties to avoid unnecessary red tape during the aftermath of a disaster.

By Rema N. Deo.
24By7Security
24By7Security

24By7Security, Inc. is a premier National Cybersecurity and Compliance consulting firm. We are Cybersecurity & Compliance specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

LinkedIn

Related posts

Embracing the Crucial Role of Cyber Resilience Beyond Data Privacy Week 2024
January, 23 2024

Embracing the Crucial Role of Cyber Resilience Beyond Data Privacy Week 2024

Read more
Five Security Best Practices for Hospitals
October, 17 2023

Five Security Best Practices for Hospitals

Read more
The High Cost of Incomplete Compliance
July, 18 2023

The High Cost of Incomplete Compliance

Read more

Comments are closed.

Cybersecurity on campus: Centers of Higher Education being targeted for Information Breaches
Patients' Right of Access - Get it, Check it, Use it
Subscribe to our Blog!

24By7Security, Inc. is your trusted partner in Cybersecurity and Compliance. We help you manage your cyber risk programs so that you can focus on your business.

    Quick Links

    Contact us

    24By7Security, Inc.
    4613 N. University Drive, Suite #267
    Coral Springs, FL 33067
    Toll Free: (844) 55-CYBER

    CONTACT US

    Social Media Connections:

    © 2024 24By7Security, Inc.  All Rights Reserved.