What HIPAA Sanctions and Penalties are Waived in Declared Emergencies?

It’s been said that you need to know the rules to break the rules (Pablo Picasso, the Dalai Lama, and my college English professor). This is especially true regarding privacy issues during declared disasters: You should know when some HIPAA requirements are set aside or modified to better serve those who might otherwise suffer.

This has recently been the case in New Mexico where President Joseph R. Biden, Jr. has issued a disaster declaration (Limited Waiver of HIPAA Sanctions) for the state and Secretary Xavier Becerra has declared a public health emergency in New Mexico due to wildfires and straight-line winds.


Requirements and Rights in a New Light

Under these circumstances, the Secretary has also exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the certain provisions of the HIPAA Privacy Rule. In other words, the following are not enforced or penalized:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • the requirement to honor a request to opt out of the facility directory
  • the requirement to distribute a notice of privacy practices
  • the patient’s right to request privacy restrictions
  • the patient’s right to request confidential communications


When the Waiver Applies

Take note, however, that the waiver does not cover everything or last forever. It only applies:

  • in the emergency area and for the emergency period identified in the public health emergency declaration
  • to hospitals that have instituted a disaster protocol
  • for up to 72 hours from the time the hospital implements its disaster protocol

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Also, important to note is that the waiver, like HIPAA, only applies to covered entities and business associates. Entities outside of these, such as the American Red Cross, are not restricted from sharing patient information, though there may be other state of federal rules that apply.


When a Waiver is Not Necessary

Even without the waiver, the HIPAA Privacy Rule allows patient information to be shared in emergency situations for certain purposes and conditions. Here are some of those:

  • Treatment – PHI about the patient is necessary for treatment
  • Public Health Activities – A legitimate need to ensure public health and safety
  • Persons at Risk – To prevent or control the spread of disease
  • Disclosures to Family, Friends and Caregivers – As necessary to identify, locate, and notify those responsible for the patient
  • Disclosures to the Media – To acknowledge an individual is a patient and provide basic information about the patient’s condition in general terms

This list is by no means exhaustive, though by now, you may be exhausted by the rules and variations. That’s where we come in. As HIPAA experts, we can provide guidance and answers should your entity be affected by a disaster.

Contact the HIPAA experts at PrivaPlan today. Email info@privaplan.com or call 877-218-7707.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.