Right after President Joseph R. Biden declared an emergency in the State of Texas, Acting Secretary Norris Cochran of the Department of Health and Human Services also announced a public health emergency because of the impact of the winter storm in Texas.
In accordance with Section 1135(b)(7) of the Social Security Act, the HHS Secretary declared a limited waiver of sanctions and fines that may result from non-compliance with some HIPAA Privacy Rule provisions.
For the duration of the waiver, the sanctions and penalties won’t be enforced for non-compliance with these requirements of the HIPAA Privacy Rule:
- 45 C.F.R. § 164.510(a) – the requirement to get a patient’s consent to talk to family members of friends;
- 45 C.F.R. § 164.510(b) – the requirement to respect the request of a patient to be taken from the facility directory;
- 45 C.F.R. § 164.520 – the requirement to send out a notification of privacy practices;
- 45 C.F.R. § 164.522(a) – the patient’s right to ask for privacy limitations;
- 45 C.F.R. § 164.522(b) – the patient’s right to ask for private communications.
On February 19, 2021, the waiver is going to be enforced and is going to be retroactive to February 11, 2021.
The waiver is just applicable to hospitals in the location where the public health emergency is declared and to hospitals that carried out their disaster protocols at that time that the waiver became effective. The waiver is in effect for about 72 hours since a hospital executed its disaster protocol.
As soon as the Presidential or Secretarial proclamation ends, hospitals need to then abide by the earlier mentioned provisions of the HIPAA Privacy Rule or suffer sanctions and penalties. That is applicable to patients that remain under the hospital’s care, even when the 72-hour period has not passed.
More information regarding the HIPAA waiver and HIPAA Privacy and Disclosures during Emergency cases is available in the HHS HIPAA Bulletin.