A public health tragedy has been proclaimed in regions of Puerto Rico, the U.S. Virgin Islands, and Florida affected by Hurricane Irma.
Similar to the situation in Louisiana and Texas following Storm Harvey, the United States Division of Health and Human Services’ OCR has proclaimed a partial renunciation of HIPAA Secrecy Rule approvals as well as fines for hospices impacted by Irma.
OCR has emphasized that the HIPAA Secrecy and Safety Rules haven’t been suspended and covered units must carry on to obey HIPAA Rules; however, specific provisions of the Secrecy Rule have been waived according to the Project Bioshield Act of 2014 as well as Section 1135(b) of the Social Security Act.
In the event that a hospice in the disaster zone doesn’t comply with the following parts of the HIPAA Privacy Law, penalties, as well as sanctions, will be renounced:
- 45 CFR 164.510(b) – Get a patient’s agreement to speak with relatives or friends involved in the patient’s treatment.
- 45 CFR 164.510(a) – Respect requests to leave of the facility directory.
- 45 CFR 164.520 – Distribute a notification of privacy practices.
- 45 CFR 164.522(a) – The patient’s entitlement to request privacy restrictions.
- 45 CFR 164.522(b) – The patient’s entitlement to request private communications.
The renunciation only applies to fines and sanctions with respect to the above provisions of the HIPAA Secrecy Rule, only to hospices in the disaster area that have implemented their tragedy procedure, and just for the time period identified in the public health crisis declaration.
The renunciation applies for a maximum of 72 hours following a hospital has applied its disaster procedure. If either the President’s or HHS Secretary’s announcement terminates within that 72-hour time duration, the hospital should immediately abide by all aspects of the HIPAA Secrecy Rule for all patients under its treatment.
In emergency conditions, the HIPAA Privacy Law does permit the distributing of PHI for treatment objectives and with public health experts that require access to PHI to perform their public health assignment. HIPAA-covered units are also permitted to distribute information with friends, family, and others involved in a person’s treatment, even if a renunciation hasn’t been issued. Additional particulars of the permissible leaks in disaster conditions are detailed in the HHS HIPAA bulletin.
In all circumstances, protected units should restrict leaks to the minimum essential information to accomplish the objective for which PHI is divulged.
Even during natural tragedies, healthcare companies, and their business associates should continue to abide by the HIPAA Security Law and must make sure appropriate physical, administrative, as well as technical safeguards, are maintained to make certain the integrity, confidentiality, and availability of electronic safeguarded health information to avoid illegal access and leaks.