Severe disasters impose challenges on health care providers
Severe disasters, such as we experienced with Hurricane Harvey, impose challenges on health care providers. Questions arose about the ability of healthcare providers and other entities covered by HIPAA privacy rules to share information with family, friends, public health officials and other emergency personnel. The HIPAA privacy rules allow for information to be shared in disaster relief efforts and to assist patients in receiving the care they need when events like Harvey occur.
While the HIPAA Privacy Rule was not suspended during or in the aftermath of Hurricane Harvey, the Secretary of HHS declared a public health emergency in Texas and Louisiana. The Secretary exercised authority to waive certain sanctions and penalties against covered entities that did not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b)
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520
- the patient's right to request privacy restrictions. See 45 CFR 164.522(a)
- the patient's right to request confidential communications. See 45 CFR 164.522(b)
When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.