Is HIPAA waived during natural disasters?

HIPAA is not waived during natural disasters, and healthcare organizations must still comply with HIPAA regulations. 

Furthermore, according to the HHS, “The HIPAA Privacy Rule is not suspended during a public health or other emergency; however, under certain conditions the Secretary of the U.S. Department of Health and Human Services may waive certain provisions of the HIPAA Privacy Rule section 1135(b)(7) of the Social Security Act, if such a waiver is deemed necessary for the particular incident when the Secretary declares a public health emergency and the President declares an emergency or disaster under the Stafford Act or National Emergencies Act.”

Legal framework

The legal foundation for these measures is established in Section 1135 of the Social Security Act, which grants the authority to make exceptions or adjustments to specific healthcare requirements in emergency situations. 

As stated by the HHS, "If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:"

The HIPAA waivers are deliberately designed to be limited in extent, with a particular focus on addressing the unique circumstances of the emergency at hand.

HIPAA waivers and disclosures

During a declared public health emergency, healthcare providers may be permitted to disclose protected health information (PHI) without patient authorization for the following purposes:

• Treatment: Healthcare providers may share patient information with other providers involved in an individual's care to ensure appropriate treatment and continuity of care.
• Public health activities: Sharing PHI with public health authorities can assist in tracking and preventing the spread of diseases and coordinating emergency response efforts.
• Law enforcement: Disclosures may be allowed to aid law enforcement in locating individuals in disaster-affected areas or investigating public safety concerns.
• Family and friends: Healthcare providers can disclose patient information to family members, friends, or others involved in the individual's care if it is in the patient's best interest.

It's important to note that these disclosures are subject to specific conditions and restrictions to maintain patient privacy and public health needs.

Safeguarding PHI during natural disasters

While HIPAA waivers provide some flexibility during natural disasters, healthcare organizations must still take steps to safeguard PHI and maintain compliance, such as: 

1. Emergency preparedness plans: Healthcare organizations should have emergency preparedness plans prepared, outlining procedures for protecting PHI, maintaining communication channels, and ensuring continuity of care during emergencies.
2. Secure infrastructure and data backup: Technical safeguards like firewalls, encryption, and access controls should be implemented to protect electronic PHI (ePHI). Regular data backups and offsite storage ensure data availability and prevent loss in case of on-site system damage.
3. Communication and collaboration: Establish clear lines of communication and protocols for sharing PHI securely among healthcare providers, emergency responders, and public health authorities. This may involve encrypted email communication, virtual private networks (VPNs), or secure messaging platforms.
4. Patient consent and authorization: While some disclosures are allowed without patient consent during emergencies, healthcare organizations should aim to obtain patient consent whenever possible. Clear documentation of consent or authorization ensures transparency and respects patient autonomy.
5. Ongoing risk assessments and compliance reviews: Regular risk assessments identify vulnerabilities, and compliance reviews ensure adherence to HIPAA regulations. Assessments and reviews should cover response plans, physical security measures, administrative policies, and technical safeguards.

In the news

Following Hurricane Idalia in Florida and the Maui wildfires, President Biden and HHS Secretary Becerra declared a state of emergency and public health emergency in both locations, responding to significant losses. 

These declarations led to various actions, including waiving HIPAA regulations to enhance crisis response, allowing healthcare providers greater flexibility in patient care without compromising privacy and security standards. 

While these measures grant more flexibility in emergency healthcare and natural disasters, they are temporary and do not exempt providers from privacy laws; they serve to improve crisis response.

Go deeper:

• Limited waiver of HIPAA sanctions in Florida
• Hawaii wildfires prompt limited waiver of HIPAA sanctions

FAQs

Does HIPAA apply during natural disasters?

Yes, HIPAA remains in effect during natural disasters. However, the Department of Health and Human Services (HHS) can temporarily waive certain provisions during declared public health emergencies, enabling providers to share PHI for treatment, public health, law enforcement, and involving family and friends in patient care.

Do I need consent to share patient information during a severe disaster?

Healthcare providers can share patient information without individual consent in specific scenarios such as treatment, notification, preventing imminent danger, and maintaining a facility directory. Verbal permission should be sought when possible, but if the individual is incapacitated or not available, providers may share information for these purposes if, in their professional judgment, doing so is in the patient's best interest.

Do non-compliance penalties still apply during a natural disaster?

Neglecting HIPAA compliance during natural disasters results in severe repercussions. Violations will still trigger civil penalties, with fines spanning thousands to millions. Willful infractions can lead to criminal charges involving fines and potential incarceration.