In preparation for severe disasters, the Secretary of HHS declares a public safety emergency and issues a limited waiver of Health Insurance Portability and Accountability Act (“HIPAA”) sanctions and penalties), enabling hospitals to share information to assist in disaster relief efforts and ensure that patients receive the care they need.

A waiver of this type only applies:

  1. in the emergency area and for the emergency period identified in the public health emergency declaration;
  2. to hospitals that have instituted a disaster protocol; and
  3. for up to 72 hours from the time the hospital implements its disaster protocol.

Following the President’s disaster declaration in response to Hurricane Harvey’s approach, the Secretary exempted covered hospitals from incurring sanctions and penalties if they violate certain provisions of the HIPAA Privacy Rule. Upon termination of the declaration of emergency, the waiver lapses and hospitals must adhere to strict compliance of all HIPAA requirements for all patients still under care, even if 72 hours have not passed. In addition to natural disasters, there are other specific conditions under which hospitals may be allowed to share patient information. Covered entities must continue to protect patient information during emergency situations and must make reasonable efforts to limit the information they share to the “minimum necessary” to accomplish the purpose sought.

For more information on HIPAA privacy waivers, contact Linda at 781-272-8001.