HHS-OCR issued a limited waiver of HIPAA Sanctions and Penalties Notice for both Hurricane Harvey and Hurricane Irma. In late August and early September, Secretary Price declared Public Health Emergencies in Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, and Florida and President Trump shortly followed suit with emergency declarations for both hurricanes, as well. Since both President Trump and Secretary Price declared an emergency for Hurricane Harvey and Hurricane Irma, the Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

The waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements the disaster protocol. Upon termination of the declaration, all impacted hospitals must return to full compliance with the HIPAA Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of the disaster protocol.

HHS-OCR has also encouraged the public to utilize its Disclosures for Emergency Preparedness Decision Tool (the “Tool”). The Tool guides users in determining how the Privacy Rule applies to a contemplated disclosure by inviting the user to select questions from the Tool based on the emergency preparedness planning need.