Health and Human Services (HHS) Secretary Alex Azar has declared public health emergencies for Florida, Georgia and South Carolina as of September 3 due to Hurricane Dorian. This declaration triggers temporary limited changes to the HIPAA Privacy Rule for hospitals, but overall, patients’ rights to privacy continue and compliance is still required with HIPAA and natural disasters.
HIPAA is NOT Suspended During Natural Disasters
When disaster strikes, hospitals and public health agencies work overtime to protect the health and safety of individuals who face risks and injury. Time is short and personnel may be overworked.
As of 2 a.m. on Wednesday, September 4, the National Hurricane Center said that most of the Southeast coast, from Central Florida to North Carolina faced “a danger of life threatening inundation from rising water” within the next 36 hours from Hurricane Dorian.
Although HIPAA remains in place when a public health emergency is declared, several provisions of the Privacy Rule are waived or suspended for hospitals, for a limited time. Otherwise HIPAA remains in effect, and once the time period has ended, the suspended provisions are back in place.
In short, there are established rules for HIPAA and natural disasters.
HIPAA and Natural Disasters: What Changes?
The waiver rules are simple.
During a natural disaster HHS will waive sanctions and penalties against a hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- the requirement to honor a request to opt out of the facility directory
- the requirement to distribute a notice of privacy practices
- the patient’s right to request privacy restrictions
- the patient’s right to request confidential communications
The HIPAA Natural Disaster waiver only applies:
(1) in the emergency area and for the emergency period identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.
When the natural disaster emergency declaration ends, the waivers end and a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
The HIPAA E-Tool® Guidance
The first requirement for hospitals to take advantage of the HIPAA Privacy Rule waivers during a disaster is to have a disaster protocol, a key element of the HIPAA Risk Analysis – Risk Management Plan.
The Risk Analysis module of The HIPAA E-Tool® provides everything needed to create and document a Risk Management Plan with step-by-step guidance on how to do it yourself.
Stay up to date on HIPAA requirements – including when waivers apply – with The HIPAA E-Tool®.