Some HIPAA Requirements Waived For Hospitals Affected By Hurricane Harvey

Hospitals and other healthcare organizations affected by Hurricane Harvey in Texas and Louisiana were granted an emergency reprieve from certain limited HIPAA requirements, the Office for Civil Rights (OCR) announced in an August 30 email alert. The agency also published a bulletin August 29.

Tom Price, MD, secretary of HHS, declared a public health emergency in Texas and Louisiana on August 26, and waived the authority to levy sanctions and penalties against hospitals in either state for failing to comply with specific sections of the Privacy Rule. The waived requirements are:

  • Distributing the Notice of Privacy Practices
  • Honoring a request to opt out of the facility directory
  • Obtaining the patient’s agreement to disclose information to family members or friends involved in the patient’s care

Certain privacy rights granted to patients are also waived for hospitals in Texas and Louisiana. These are the patient’s right to request privacy restrictions and confidential communications.

Hospitals and other covered entities (CE) should be aware that all other sections of the Privacy Rule, as well as all sections of the Security Rule and the Breach Notification Rule, continue to apply throughout the waiver period. The waiver only applies to CEs in Texas and Louisiana that have begun their disaster protocols. The waiver will only last for the duration of the public health emergency. Although the public health emergency was announced August 26, it is retroactively effective to August 25. The waiver will terminate when the public health emergency does; at that time, all provisions of the Privacy Rule go back into effect for all affected entities and patients.

CEs can refer to HHS’ Hurricane Harvey updates for the latest information on the public health emergency.

OCR issued guidance on permissible disclosures to a patient’s loved one, regardless of whether they are considered relatives under applicable laws, on January 10. The guidance was issued in response to the 2016 shooting at the Pulse nightclub in Orlando. Buddy Dyer, the mayor of Orlando, requested that the White House waive HIPAA while hospitals attempted to identify patients and notify family members and loved ones.

HHS responded that a waiver was not necessary and providers may use their professional judgment to make disclosures in the best interest of a patient. The January guidance clarified that CEs are permitted to share relevant information about a patient with the patient’s partner, guardian, caregiver, or close personal friend, and are also permitted to disclose a patient’s information to notify or assist in notifying a patient’s loved ones. The guidance specified that CEs are not allowed to limit disclosures to loved ones based on sex or gender identity.