A limited waiver of HIPAA sanctions and penalties in Louisiana was announced by the U.S. Department of Health and Human Services (HHS) Secretary to anticipate the likely devastation that Tropical Storm Barry could cause upon hitting the region on July 13. The HHS proclaimed a public health emergency in the state on July 12, 2019.
The waiver applies only to healthcare providers in Louisiana and only until the date stated in the declaration. The waiver just covers certain HIPAA Privacy Rule conditions and is in effect only up to 72 hours after the hospital’s emergency protocol implementation.
The moment the effective time for the waiver ends, healthcare providers have to adhere to all of the HIPAA Privacy regulations once again. This applies to patients placed under the hospital care when the declaration ends, whether or not the 72-hour period is up.
Even with a declared waiver, the Privacy Rule allows protected health information (PHI) sharing during disasters to help patients and make sure they are cared for. Some health data may be disclosed to members of the family, friends and any body who’s engaged in patient care.
The HIPAA Privacy Rule permits sharing of PHI for public health activities and to avoid or lessen a serious and approaching threat to patient safety. HIPAA-covered entities could likewise share information with disaster relief organizations that are sanctioned to do disaster relief projects without the need to have patient consent.
During natural disasters, the HIPAA Privacy and Security Rules remain enforcible. But with the declaration of the HHS secretary, sanctions and penalties against HIPAA covered entities are waived for these HIPAA Privacy Rule provisions:
- 45 CFR 164.510(b) – Obtaining patient consent before talking to members of the family or friends involved in patient care
- 45 CFR164.510(a) – The requirement to recognize a request to be taken out of the provider’s directory
- 45 CFR 164.520 – The need to dispatch a notification of privacy practices
- 45 CFR 164.522(a) – The right of patient to demand privacy restrictions
- 45 CFR 164.522(b) – The right of patient to demand private communications
The HHS Secretary Azar stated that the department is preparing to meet the medical needs of the communities with the help of state health and emergency management authorities. Find out about the HHS emergency proclamation and partial HIPAA waiver on this page.