Limited Waiver of HIPAA Sanctions and Penalties in Louisiana and Mississippi

Limited HIPAA waiver

Following the presidential declaration of an emergency in Louisiana and Mississippi due to Hurricane Ida, the Secretary of the Department of Health and Human Services has declared a public health emergency exists in those states and has announced HIPAA sanctions and penalties against hospitals will be waived for noncompliance with certain provisions of the HIPAA Privacy Rule.

During a public health emergency all provisions of the HIPAA Rules still apply. The HIPAA Privacy and Security Rules are not suspended in emergency situations. The HIPAA Privacy Rule allows patient information to be shared in emergencies to assist in disaster relief efforts, and to help patients receive the care they need; however, the waiver of HIPAA sanctions and penalties will help to ensure that hospitals can continue to provide the necessary care to patients, without fear of sanctions and penalties for noncompliance.

The HIPAA waiver only applies to noncompliance with specific provisions of the HIPAA Privacy Rule, as detailed below:

  • Obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care – 45 CFR 164.510(b)
  • Honoring a request to opt out of the facility directory – 45 CFR 164.510(a)
  • Distribution of a notice of privacy practices – 45 CFR 164.520
  • Honoring a patient’s right to request privacy restrictions – 45 CFR 164.522(a)
  • Honoring a patient’s right to request confidential communications – 45 CFR 164.522(b)

The HIPAA waiver only applies in the areas covered by the public health emergency declaration, only for the emergency period defined in that declaration, and only for hospitals that have instituted their disaster protocol. The waiver only covers hospitals that meet the above criteria for up to 72 hours after the disaster protocol has been initiated.

Once the presidential or secretarial declaration terminates, the HIPAA waiver also terminates, even for patients still under the care of the hospital and even if 72 hours has not elapsed since implementation of its disaster protocol.

The HHS has also released a decision tool to help hospitals determine how the HIPAA Privacy Rule applies to disclosure of protected health information in emergency situations.