In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.
The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
HHS has waived sanctions and penalties for the following provisions of the HIPAA Privacy Rule:
- Requirements to obtain a patient’s consent to speak with family, friends or any other individual identified by the patient and involved in the patient’s care. 45 C.F.R. §164.510(b).
- Requirement to honor a request to opt out of the facility directory. 45 C.F.R. §164.510(a)(2).
- Requirement to distribute a notice of privacy practices. 45 C.F.R. §164.520(a)(1).
- Patient’s right to request privacy restrictions. 45 C.F.R. §164.522(a)(1).
- Patient’s right to request confidential communications. 45 C.F.R. §164.522(b).
When either HHS’s or President Trump’s declaration terminates, a hospital must resume compliance with the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since the implementation of its disaster protocol.
Even without a waiver, the HIPAA Privacy Rule allows patient information to be shared for various reasons, including those outlined in our recent blog post regarding disclosures to family, friends, and others involved in a patient’s care and for notification purposes.