HIPAA is NOT Suspended During Emergencies
Hospitals and Public Health agencies roll into action during disasters. Working with FEMA, other public agencies and the private sector, all collaborate to protect the health and safety of individuals who face risks and injury. Time is short and personnel may be overworked. And while HIPAA remains in place the Department of Health and Human Services (HHS) recognizes that certain provisions should be waived to help hospitals care for patients and connect patients with their families.
Although HIPAA is not suspended when a public health emergency is declared, several provisions of the Privacy Rule are waived or suspended for a limited time, for hospitals. Otherwise HIPAA remains in effect, and once the time period has ended, the suspended provisions are back in effect. The suspension rules are simple.
Disaster Bulletin from HHS
Quoting from this week’s disaster bulletin from the HHS:
The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia following the President’s declaration that a disaster exists in the area as a result of Hurricane Florence. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient's right to request confidential communications. See 45 CFR 164.522(b).
When the Secretary issues such a waiver, it only applies:
(1) in the emergency area and for the emergency period identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
The entire Bulletin is here.
The HIPAA E-Tool® Guidance
The Risk Analysis - Risk Management module of The HIPAA E-Tool® provides everything needed to document a Risk Management Plan with step by step guidance on how to get it done. A disaster protocol is one element of such a Plan, and the first requirement for hospitals to take advantage of the Privacy Rule waivers during a disaster. A HIPAA Compliance program is not complete without policies for all of the HIPAA Rules, workforce training, and an annual Risk Analysis - all at your fingertips in The HIPAA E-Tool®.