In a release yesterday, HHS Secretary Tom Price stated that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in the Hurricane Harvey disaster area.
This waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below:
- The obligation to seek a patient’s agreement to communicate with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to respect a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The obligation to distribute a formal of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to seek confidential communications. See 45 CFR 164.522(b)
These sanction waivers only apply to hospitals in the the Hurricane Harvey emergency regions that have been named in the public health emergency declaration.
The waiver is only applicable if hospitals have put in place a disaster protocol. In this case it is applicable for 72 hours after the disaster protocol has been implemented. It will remain in place only until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed at this point.
Further information on the limited sanction waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be seen in this HIPAA bulletin from HHS.