Is HIPAA Suspended During a Hurricane?

The short answer is “no.” But the full answer is more mixed.

The U.S. Department of Health and Human Services (HHS) learned lessons during Hurricane Katrina (2005), Hurricane Sandy (2012) and the Ebola crisis (2014-16) that have guided its policies around exceptions to the Privacy Rule during disasters. 

HHS Bulletins Provide Guidance

Hurricane Harvey’s destruction may surpass that of Katrina and Sandy, and HHS has just today issued a Bulletin outlining its policy on waivers for hospitals in Texas and Louisiana. HHS issued  Bulletins during other emergencies, including two in 2005 resulting from Hurricane Katrina, one in 2013 related to law enforcement, and one in 2014 related to privacy in emergency situations. All of these Bulletins and additional guidance may be found here HHS Bulletins and Guidance

During a public health emergency or disaster, there are exceptions to HIPAA that permit covered entities like hospitals to share protected health information with other providers, public health authorities and certain other designated parties. On the other hand, even during a disaster, the majority of HIPAA requirements will remain in effect so covered entities must remember they are responsible for fulfilling HIPAA obligations even in the midst of a disaster.

No Excuse for Social Media Photos posted by Covered Entities

In the last several days, pictures of nursing home residents and patients in Texas have been posted on Facebook and other social media by health care providers. Whether an appeal for help, or for publicity, even if well intentioned, these are blatant violations of patient privacy and are unjustified by the emergency. 

The HIPAA Privacy Rule is not Suspended

HIPAA still applies during a public health emergency. However, if the President declares an emergency or disaster, and the HHS Secretary declares a public health emergency, then the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA provisions. On August 27, Secretary Tom Price declared such a public health emergency in Texas. The waivers apply to the following HIPAA Privacy Rule provisions.

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. 
  • the requirement to honor a request to opt out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient’s right to request privacy restrictions.
  • the patient’s right to request confidential communications.

Note, this type of waiver only applies: 

  • In the emergency area and for the emergency period identified in the public health emergency declaration.
  • To hospitals that have instituted a disaster protocol.
  • For up to 72 hours from the time the hospital implements its disaster protocol.

When these types of declarations end, OCR adds that providers have to comply with all Privacy Rule requirements for patients in their care, “even if 72 hours has not elapsed since implementation of its disaster protocol.”

OCR also emphasizes the fact that HIPAA rules only apply to covered entities and their business associates. So, for example, the Red Cross is not subject to HIPAA, and may use and disclose patient information in order to carry out its mission.

The HIPAA Security Rule Requires Contingency Planning Before an Emergency

All covered entities and business associates must comply with the Security Rule standard requiring that they establish a Contingency Plan consisting of policies and procedures for responding to an emergency or other occurrence (for example, Fire, Vandalism, System Failure, and Natural Disaster) that damages systems containing Electronic Protected Health Information.

At a minimum, this Contingency Plan (SR-20 within The HIPAA E-Tool®) will include a Data Backup Plan (SR-21), a Disaster Recovery Plan (SR-22) and an Emergency Mode Operation Plan (SR-23). 

The Privacy and Security Rules work together. Knowing how to prepare and prevent through planning, and respond and recover during and after an emergency, are all part of a full HIPAA Compliance Policy. And while rules may be relaxed in certain circumstances, patient privacy is still a high priority and must be maintained during emergencies.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free