In response to Hurricane Harvey, the secretary of the U.S. Department of Health and Human Services (HHS), Tom Price, M.D., declared a public health emergency in Texas and Louisiana. Along with the declaration, he exercised his authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.
The following provisions of HIPAA's Privacy Rule has been waived for Texas or Louisiana covered hospitals:
Other provisions of the Privacy Rule continue to apply, even during the waiver period.
When the Secretary issues such a waiver, it only applies:
When the President's or Secretary's declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect. As emergency personnel and medical facilities undertake immediate action to ensure the safety of those affected, the OCR continues to highlight how the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need, regardless of whether a waiver is granted. For more detailed information regarding HIPAA privacy and disclosures in emergency situations, click here. For more detailed information regarding emergency situation preparedness, planning, and response, click here. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here. Please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.