Limited HIPAA waivers implemented during Texas winter storm
HHS acting Secretary Norris Cochran declared a public health emergency (PHE) for the state of Texas on February 17 as a result of the recent winter storms.
In declaring the PHE, Cochran also exercised the authority to waive sanctions and penalties against a covered entity (CE) that does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a Notice of Privacy Practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications
The waiver applies only within the emergency area and for the period identified in the PHE and for the emergency period identified in the PHE declaration. The waivers are retroactive to February 11, according to HHS. When the PHE declaration terminates, CEs must comply with all requirements of the Privacy Rule, even if 72 hours have not passed since the CE implemented its disaster protocol.
HHS released a bulletin outlining permitted disclosures in emergency situations that do not require waivers.
In the bulletin, HHS also highlighted how the HIPAA Privacy Rule allows patient information to be shared in emergency situations, even in the absence of a waiver. Under the Privacy Rule, CEs are permitted to disclose protected health information (PHI) with or without a patient’s authorization if the disclosure is necessary to treat the patient or another person who may be affected by the same emergency situation.
The Privacy Rule also enables CEs to disclose PHI without individual authorization to public health authorities such as the Centers for Disease Control and Prevention or a state or local health department for the purpose of preventing or controlling disease, injury, or disability.
In addition, CEs can make disclosures to family, friends, and others involved in an individual’s care. Information may be shared about a patient to identify and locate the patient.
The bulletin notes that disclosures to the media should be limited to facility directory information and basic information about the patient’s condition if the patient has not objected to the release of such information. Except in limited circumstances, CEs cannot disclose to the media or public specific information about the treatment of an identifiable patient—such as specific test results or details of the patient’s illness or injury—unless the patient or a personal representative has provided written authorization.
For more information on HIPAA disclosures in emergency situations, see the HHS bulletin.