HIPAA Privacy Compliance After a HurricaneHow Much Flexibility Do Healthcare Organizations Have?
The deadly and unusually active hurricane season has prompted federal regulators to issue several HIPAA waivers in recent weeks for hospitals in the affected regions as well as issue guidance for those navigating patient privacy issues during a crisis situation.
See Also: HIPAA Audits: A Revised Game Plan
But are such waivers really necessary?
Privacy attorney Kirk Nahra of the law firm Wiley Rein says that in general, healthcare providers already have some flexibility related to HIPAA during crisis situations.
"It is not entirely clear what purpose these waivers serve - or whether they are really necessary - but, at a minimum they give providers some additional comfort in their ability to address specific situations stemming from these emergencies," Nahra says.
"In general, providers often have the ability to make reasonable and appropriate judgments in situations - these waivers just make it clearer that there won't be enforcement problems," he says. The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, "generally is sufficiently reasonable, so it is hard to see a good faith judgment being subject to enforcement even without these waivers."
But even though HIPAA allows flexibility for patient information to be shared in emergency situations without a waiver, the issue has been a source of confusion, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"In the wake of Hurricane Katrina in 2005, HHS found that healthcare organizations were uncertain how the HIPAA Privacy Rule applied to sharing information about individuals with disaster relief organizations, public health authorities as well as getting word to friends and family members concerning their loved ones," he says.
"Healthcare providers also reported feeling burdened in carrying out the privacy rule's requirements to provide [patients with] Notices of Privacy Practices, handle patient's requests for restrictions on disclosures for protected health information, and handle requests for confidential communications," he adds. "Healthcare organizations were also uncertain if emergency declarations meant suspension of all the requirements of the HIPAA Rules to safeguard protected health information in paper or electronic form."
Action After Hurricane Maria
On Sept. 20, as Hurricane Maria raged, HHS issued a "limited waiver of HIPAA sanctions and penalties" for hospitals in Puerto Rico and the territory of the U.S. Virgin Islands.
In recent weeks, HHS has also issued waivers for hospitals in Texas, Louisiana and Florida that were impacted by hurricanes Harvey and Irma. Puerto Rico and the U.S. Virgin Islands were also among regions covered by a Sept. 8 HIPAA waiver issued during Hurricane Irma.
HHS says that while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the secretary of HHS may waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 and a section of the Social Security Act.
During the latest declaration of a health emergency in the Hurricane Maria-stricken regions, HHS Secretary Tom Price exercised his authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care;
- The requirement to honor a request to opt out of the facility directory;
- The requirement to distribute a notice of privacy practices;
- The patient's right to request privacy restrictions;
- The patient's right to request confidential communications.
HHS notes that when the HHS secretary issues such a waiver, however, it only applies:
- In the emergency area and for the emergency period identified in the public health emergency declaration;
- To hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol.
When the emergency declaration terminates in the region, a hospital must then comply with all the requirements of the privacy rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol, HHS says.
Holtzman notes that while the HHS secretary's waiver is limited to 72 hours, the declaration can be extended or reissued if deemed necessary. "However, even without a waiver, the privacy rule allows patient information to be shared in emergency situations for healthcare treatment ... or to notify friends and family of the patient [or to make] disclosures to disaster relief organizations like the American Red Cross and public health authorities," he explains.
Other Crisis Situations
Hurricanes haven't been the only occasion when OCR has issued reminders to healthcare providers about HIPAA Privacy Rule flexibility during crisis situations.
For instance, in the aftermath of the June 2016 mass shooting at an Orlando, Fla., nightclub, confusion emerged over whether the Obama administration had issued a special public health emergency waiver to suspend certain privacy provisions of HIPAA to help ease communication between healthcare providers caring for the injured and those patients' families.
While HHS did not issue a HIPAA waiver, OCR reiterated that HIPAA allows healthcare professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition, OCR said (see No HIPAA Waiver Needed in Orland Shooting Aftermath.)
OCR recently issued general reminder guidance for healthcare entities dealing with crises and disasters, including hurricanes.
"Making sure that health information is available before, during and after the storm is a critical part of that preparation," OCR says. That includes ensuring that "medical professionals and emergency personnel understand when the HIPAA regulations may apply to them - and when those regulations apply, how they can share individually identifiable protected health information during emergency situations."
HHS also provides an emergency preparedness online decision tool to help healthcare and emergency workers determine how the HIPAA Privacy Rule applies to various disclosures during disasters and other crises.
For instance, in situations involving the imminent threat to the health and safety of an individual or the public, healthcare providers "may disclose a patient's health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers and law enforcement, without a patient's permission," OCR notes.
Holtzman notes that in advance of crises, healthcare organizations should develop plans for how to deal with security and privacy issues in emergencies and natural disasters. "Many organizations located in areas that are at risk for natural disasters like hurricanes, tornados or earthquakes regularly conduct emergency preparedness exercises to practice the implementation of emergency procedures," he says.