satellite view of hurricane

HIPAA and Natural Disasters: Hurricanes

Health and Human Services (HHS) Secretary Alex Azar has declared public health emergencies for Florida, Georgia and South Carolina as of September 3 due to Hurricane Dorian. This declaration triggers temporary limited changes to the HIPAA Privacy Rule for hospitals, but overall, patients’ rights to privacy continue and compliance is still required with HIPAA and natural disasters.

HIPAA is NOT Suspended During Natural Disasters

When disaster strikes, hospitals and public health agencies work overtime to protect the health and safety of individuals who face risks and injury. Time is short and personnel may be overworked.

As of 2 a.m. on Wednesday, September 4, the National Hurricane Center said that most of the Southeast coast, from Central Florida to North Carolina faced “a danger of life threatening inundation from rising water” within the next 36 hours from Hurricane Dorian.

Although HIPAA remains in place when a public health emergency is declared, several provisions of the Privacy Rule are waived or suspended for hospitals, for a limited time. Otherwise HIPAA remains in effect, and once the time period has ended, the suspended provisions are back in place.

In short, there are established rules for HIPAA and natural disasters.

HIPAA and Natural Disasters: What Changes?

The waiver rules are simple.

During a natural disaster HHS will waive sanctions and penalties against a hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • the requirement to honor a request to opt out of the facility directory
  • the requirement to distribute a notice of privacy practices
  • the patient’s right to request privacy restrictions
  • the patient’s right to request confidential communications

The HIPAA Natural Disaster waiver only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration;

(2) to hospitals that have instituted a disaster protocol; and

(3) for up to 72 hours from the time the hospital implements its disaster protocol.

When the natural disaster emergency declaration ends, the waivers end and a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

The HIPAA E-Tool® Guidance

The first requirement for hospitals to take advantage of the HIPAA Privacy Rule waivers during a disaster is to have a disaster protocol, a key element of the HIPAA Risk Analysis – Risk Management Plan.

The Risk Analysis module of The HIPAA E-Tool® provides everything needed to create and document a Risk Management Plan with step-by-step guidance on how to do it yourself.  

Stay up to date on HIPAA requirements – including when waivers apply – with The HIPAA E-Tool®.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2019 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC
Terms of Service | Privacy Policy

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free