On September 12, 2018, President Trump approved the declaration of a federal emergency in the state of Virginia. FEMA resources were also made available to the state.
Secretary Alex Azar of the U.S. Department of Health and Human Services also declared a Public Health Emergency in Virginia, South Carolina and North Carolina.
With the Secretarial declaration, certain HIPAA restrictions are lifted to help the beneficiaries of the Centers for Medicare & Medicaid Services’ (CMS) including their healthcare providers get ready for the possible impact of Hurricane Florence. It will allow these institutions to have greater flexibility in meeting emergency health needs.
Whenever there are severe disasters and public emergencies, healthcare providers may struggle in meeting all the HIPAA Privacy Rule requirements. The HIPAA Privacy Rule continue to be in force even during emergency situations like during hurricanes. However, with a declaration of a Public Health Emergency, certain conditions of the Privacy Rule are relaxed following the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act. Sanctions and penalty charges are waived for the following provisions of the HIPAA Privacy Rule:
- 45 CFR 164.510(b) – The requirement to get a patient’s consent before speaking with family members or friends concerned about the patient’s care
- 45 CFR 164.520 – The requirement to notify of privacy practices
- 45 CFR 164.510(a) – The requirement to accept requests to not be included in the facility directory
- 45 CFR 164.522(a) – The patient’s right to get restrictions on privacy
- 45 CFR 164.522(b) – The patient’s right to obtain private communications
Other requirements of the HIPAA Privacy, Security, and Breach Notification Rules still remain the same. Sanctions and penalties for these requirements not mentioned above are not waived.
In addition, the waiver only applies in places covered by the public health emergency declaration, during the time period determined in the declaration, and only if hospitals began observing their disaster protocol. The waiver has a 72-hour effectivity after the emergency declaration.
As soon as the Presidential or Secretarial declaration is terminated, the waiver is no longer applicable even if patients are still under a hospital’s care and even if the 72-hour time period is not yet over.
The HHS’ Office for Civil Rights issued guidance on the proper sharing of health data in disaster emergency zones as a response to the declaration. OCR also prepared a HIPAA Emergency Preparedness Decision Tool to inform healthcare providers about the applicable HIPAA Privacy Rules during emergency situations.