In response to Hurricane Harvey, the Department of Health and Human Services (HHS) has issued a waiver of certain provisions of the HIPAA Privacy Rule. Under the Project Bioshield Act and section 1135(b)(7) of the Social Security Act, if the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, sanctions and penalties against hospitals may be waived for a limited time for certain Privacy Rule provisions.
The waiver is designed to enable hospitals in the emergency area to provide care to patients in extreme situations when full compliance would be burdensome and inhibit care delivery. It only applies: in the emergency area during the period identified in the public health emergency declaration; to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements its disaster protocol. When the declaration terminates, hospitals must resume compliance with all the requirements of the Privacy Rule for any patient still under its care.
The Hurricane Harvey waiver was issued on August 30, 2017 and applies to Texas and Louisiana covered hospitals. The following Privacy Rule provisions are currently waived:
- requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- requirement to honor a request to opt out of the facility directory
- requirement to distribute a notice of privacy practices
- patient’s right to request privacy restrictions
- patient’s right to request confidential communications
The detailed bulletin announcing the waiver can be found on the HHS website, along with an Emergency Preparedness Decision Tool designed to help guide facilities design protocols in advance governing how to deal with disclosures in question when a waiver is in effect.