There are certain times when the Secretary of the U.S. Department of Health and Human Services exercises his authority to issue a limited waiver of HIPAA sanctions and penalties. In most cases, the announcement is made after the declaration of public health emergency or the implementation of a disaster protocol. One example is the latest waiver issuance in California. It was announced after the presidential declaration of a public health emergency in northern California due to wildfires. Other instances of waiver issuance were after the implementation of disaster protocol during Hurricanes Irma and Maria.
The waiver was in effect only for a 72-hour period following the implemented protocol. When the declared public health emergency ends, it is expected that healthcare organizations will comply with all HIPAA Privacy Rule for all patients under their care.
What does it mean when a limited waiver of HIPAA sanctions and penalties is in effect? This waiver does not actually suspend the HIPAA Security Rule and the Privacy Rule. It simply means that HHS is implementing the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act. Accordingly, there will be no sanctions or penalties imposed against healthcare organizations for certain provisions of the HIPAA Privacy Rule, including:
- 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
- 45 CFR 164.510(b) – The requirements to get a patient’s agreement to talk with family members or friends involved in the patient’s care.
- 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
- 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
- 45 CFR 164.522(b) – The patient’s right to request confidential communications.
During emergency situations, the HIPAA Privacy Rule allows HIPAA-covered entities to share patients’ PHI for the purpose of assisting in disaster relief efforts and to make sure that patients receive the care they need. Healthcare organizations are also allowed to disclose PHI to help provide treatment to patients, especially when coordinating patient care and referral to other healthcare providers. PHI may be disclosed during public health activities to help organizations fulfill their public health missions. It is permitted to disclose PHI (such as patient’s condition or loss of life) to family, friends and those involved in patient care when necessary. Disclosure of a patient’s general health status to anyone including the media is permitted when necessary to prevent serious injury provided the patient has not objected to it. In all cases of disclosure, only the ‘minimum necessary’ information to achieve the stated purpose applies.