In response to the tragic fallout from Hurricane Harvey, an unprecedented storm that decimated the city of Houston and a large swath of the Gulf Coast of Texas and Louisiana, the U.S. Department of Health and Human Services (HHS) declared a public health emergency in both states and will waive certain sanctions and penalties under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule for affected hospitals. Specifically, HHS’s Office for Civil Rights (OCR) will exercise enforcement discretion against Covered Entity (CE) hospitals and their Business Associates (BA) in Texas and Louisiana that do not comply with certain provisions of the Privacy Rule and their handling of patients’ Protected Health Information (PHI).
As OCR explains in its Bulletin, Hurricane Harvey & HIPAA: Limited Waiver of HIPAA Sanctions and Penalties During a Declared Emergency (Bulletin), it will not enforce the following HIPAA-imposed rights and restrictions:
We emphasize the limited nature of this waiver and the fact that all other provisions of the HIPAA Privacy, Security, and Breach Notification Rules continue to apply, even during the waiver period. Indeed, this waiver applies solely: (1) to the specific area and period of emergency identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; (3) to the specific Privacy Rule provisions identified in the Bulletin; and (4) for up to 72 hours from the time the particular hospital implements its disaster protocol. At such time when the Presidential or Secretarial declaration terminates, the waiver expires. At that point, affected entities must comply with all Privacy Rule requirements for all patients still under its care, irrespective of whether 72 hours have elapsed since implementing its disaster protocol.
The Bulletin goes on to make clear that longstanding exceptions to the patient authorization requirement continue in force. To wit, treatment, public health activities, imminent danger, and limited disclosures to friends and family involved in the patient’s care, among others, remain viable avenues for CEs and their BAs to rely upon in emergency times.
As OCR further reminds us in an existing Q&A, it is important to keep in mind that HIPAA’s Privacy Rule protections are not suspended during a national or public health emergency. In very limited circumstances, where the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against regulated entities that do not comply with certain provisions of the HIPAA Privacy Rule. Clearly, Hurricane Harvey created such a situation.
We also encourage affected entities to carefully review OCR’s webpage, which provides detailed information regarding emergency situation preparedness, planning, and response – including its Disclosures for Emergency Preparedness Decision Tool. OCR structured the Tool as a Q&A process flow intended to guide regulated entities in determining how the Privacy Rule applies to a specific series of disclosures. The Tool walks entities through a number of questions focused on “the source of the information being disclosed, to whom the information is being disclosed, and the purpose of the information being disclosed.” (Of course, in addition to the disclosures discussed, entities must always carefully consider whether its uses of PHI are appropriate in all circumstances, emergency or otherwise.)
OCR also maintains an Emergency Preparedness page providing information for “at-risk people or people with special needs,” who may require particular health-related support, including medical care, transportation, supervision, and/or communication assistance. (Such populations may include, among others, children, the elderly, persons from diverse cultural origins or with limited English proficiency, as well as individuals with disabilities.) That Emergency Preparedness information focuses on how nondiscrimination laws apply during an emergency such as Harvey.
Ultimately, HHS and its individual agencies, including OCR, provide a suite of utilities for regulated industry to consult when confronting the monumental challenges that natural and other disasters present. It is, nevertheless, critical that CEs and their BAs carefully analyze these valuable resources and ensure that the rules, along with any exemptions (e.g., restrictive 72-hour time period) are heeded – even in times of crisis.