HHS-OCR issued a limited waiver of HIPAA Sanctions and Penalties Notice for both Hurricane Harvey and Hurricane Irma. In late August and early September, Secretary Price declared Public Health Emergencies in Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, and Florida and President Trump shortly followed suit with emergency declarations for both hurricanes, as well. Since both President Trump and Secretary Price declared an emergency for Hurricane Harvey and Hurricane Irma, the Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

The waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements the disaster protocol.  Upon termination of the declaration, all impacted hospitals must return to full compliance with the HIPAA Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of the disaster protocol.

HHS-OCR has also encouraged the public to utilize its Disclosures for Emergency Preparedness Decision Tool (the “Tool”). The Tool guides users in determining how the Privacy Rule applies to a contemplated disclosure by inviting the user to select questions from the Tool based on the emergency preparedness planning need.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.