HIPAA enforcement discretion allows healthcare providers flexibility during emergencies and public health crises. Healthcare providers can waive certain HIPAA requirements to deliver essential care while maintaining patient privacy and security.
HIPAA enforcement discretion occurs when the HHS Secretary declares that the Department will exercise flexibility in enforcing HIPAA Rules. This discretion can be temporary or permanent, region-specific or nationwide.
It is typically announced in response to emergencies or disasters threatening public health. The HHS Secretary has the authority to issue a Notice of Enforcement Discretion under ยง1135 of the Social Security Act when the President declares an emergency and the Secretary declares it a public health emergency.
Read more: Understanding and implementing HIPAA rules
Most instances of HIPAA enforcement discretion are temporary and region-specific. When the Secretary issues a Notice of HIPAA Enforcement Discretion, it applies only to the emergency area and the specified period. It is important to note that discretion does not apply to health plans or business associates but only to hospitals that have initiated a disaster protocol.
During periods of HIPAA enforcement discretion, certain requirements and sanctions may be waived. The Secretary can exercise control in waiving the following standards of the Privacy Rule:
Read more: Is HIPAA waived during natural disasters?
The HIPAA Privacy Rule permits business associates to use and disclose protected health information (PHI) for public health and oversight activities only if stated in a business associate agreement (BAA) with a covered entity.
During the COVID-19 public health emergency, OCR issued a Notice of HIPAA Enforcement Discretion stating that good-faith disclosures of PHI for public health purposes to authorized agencies, such as the Centers for Disease Control and Prevention (CDC), would not result in penalties. However, any use or disclosure of PHI must be reported to the covered entity within 10 days.
See more:
During a public health emergency, OCR clarified that the HIPAA Privacy Rule permits sharing PHI with first responders under certain circumstances. This includes sharing PHI with law enforcement, paramedics, and public safety agencies without obtaining prior patient authorization. The goal is to prevent or control disease, injury, or disability and ensure the health and safety of individuals and the public.
Read more: Sharing patient information with authorization
In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise enforcement discretion when calculating potential fines and the length of corrective action plans or audits following a data breach.
Covered entities and business associates can qualify for enforcement discretion by demonstrating at least twelve months prior compliance with a recognized security framework. The HHS has recommended using the National Institute of Standards and Technology (NIST) Cybersecurity Framework or other programs recognized by statute or regulation.
HIPAA enforcement discretion has been exercised in various situations, both natural disasters and public health emergencies. Some recent examples include:
Go deeper:
Following Hurricane Idalia in Florida and the Maui wildfires, President Biden and HHS Secretary Becerra declared a state of emergency and public health emergency in both locations, responding to massive losses.
These declarations led to various actions, including waiving HIPAA regulations to enhance crisis response, allowing healthcare providers greater flexibility in patient care without compromising privacy and security standards.
While these measures grant more flexibility in emergency healthcare and natural disasters, they are temporary and do not exempt providers from privacy laws; they serve to improve crisis response.
Yes, HIPAA remains in effect during natural disasters. However, the Department of Health and Human Services (HHS) can temporarily waive certain provisions during declared public health emergencies, enabling providers to share PHI for treatment, public health, law enforcement, and involving family and friends in patient care.
Neglecting HIPAA compliance during natural disasters results in severe repercussions. Violations will still trigger civil penalties, with fines spanning thousands to millions. Willful infractions can lead to criminal charges involving fines and potential incarceration.
Healthcare providers can share patient information without individual consent in specific scenarios such as treatment, notification, preventing imminent danger, and maintaining a facility directory. Verbal permission should be sought when possible, but if the individual is incapacitated or not available, providers may share information for these purposes if, in their professional judgment, doing so is in the patient's best interest.
See also: HIPAA Compliant Email: The Definitive Guide