HHS Issues Partial Waiver of HIPAA Penalties and Sanctions within California

The Secretary of the U.S. Division of Human and Health Services has released a limited waiver of HIPAA sanctions as well as fines within California. The renunciation was announced after the presidential declaration of a public health crisis in northern California as a result of the wildfires.

As was the situation with the waivers released after Hurricanes Irma and Maria, the partial renunciation of HIPAA sanctions and fines only concerns when healthcare providers have applied their disaster protocol, and then just for a period of up to 72 hours after the implementation of that procedure. In the event of the public health crisis declaration ending, healthcare companies must then abide by all provisions of the HIPAA Secrecy Rule for all sick persons still under their care, even when the 72-hour duration hasn’t yet finished.

Every time the HHS releases a partial renunciation of HIPAA sanctions as well as fines, healthcare organizations should still abide by the conditions of the HIPAA Safety Law as well as the Privacy Law isn’t deferred.  The HHS just exercises its power as per the Project Bioshield Rule of 2004 (PL 108-276) as well as section 1135(b) (7) of the Social Security Act, and won’t impose sanctions or fines against healthcare businesses for the following requirements of the HIPAA Privacy Law:

  • 45 CFR 164.510(b) – The requirements to get a patient’s agreement to speak with relatives or friends involved in the patient’s treatment.
  • 45 CFR 164.510(a) – The condition to honor an appeal to opt out of the service directory.
  • 45 CFR 164.520 – The condition to distribute a notification of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request secrecy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request secret communications.

Even in emergency conditions, the HIPAA Privacy Law permits HIPAA-protected entities to disclose patients’ PHI to help in calamity relief attempts and to help make sure patients receive the treatment they require.

PHI may also be leaked for the purpose of providing cure to patients, in order to coordinate patient treatment, or when mentioning patients to other healthcare suppliers.  PHI can be disclosed for public health activities to let businesses to perform their public health duties. Disclosures can be made to relatives, friends, and other individuals engaged in a patients’ care, as required, to find, locate, or inform relatives of the patient’s condition, location, or loss of life. Disclosures can be made to anybody, as required, to lessen or prevent a serious injury and leaks can be made to the mass media about a patient’s general health position and partial facility directory information can also be leaked for a named patient, provided the patient hasn’t opposed to such disclosures.

In all instances, the ‘minimum necessary’ requirement applies. Information should be confined to the minimum necessary information to accomplish the specific purpose for which it’s divulged.

Further information on the renunciation can be found in the HHS bulletin on this link.