Limited Waiver of HIPAA Sanctions and Penalties in Louisiana and Mississippi

Who Does HIPAA Apply To

Following the presidential declaration of an emergency in Louisiana and Mississippi due to Hurricane Ida, the Secretary of the Department of Health and Human Services has declared a public health emergency exists in those states and has announced HIPAA sanctions and penalties against hospitals will be waived for noncompliance with certain provisions of the HIPAA Privacy Rule.

During a public health emergency all provisions of the HIPAA Rules still apply. The HIPAA Privacy and Security Rules are not suspended in emergency situations. The HIPAA Privacy Rule allows patient information to be shared in emergencies to assist in disaster relief efforts, and to help patients receive the care they need; however, the waiver of HIPAA sanctions and penalties will help to ensure that hospitals can continue to provide the necessary care to patients, without fear of sanctions and penalties for noncompliance.

The HIPAA waiver only applies to noncompliance with specific provisions of the HIPAA Privacy Rule, as detailed below:

  • Obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care – 45 CFR 164.510(b)
  • Honoring a request to opt out of the facility directory – 45 CFR 164.510(a)
  • Distribution of a notice of privacy practices – 45 CFR 164.520
  • Honoring a patient’s right to request privacy restrictions – 45 CFR 164.522(a)
  • Honoring a patient’s right to request confidential communications – 45 CFR 164.522(b)

The HIPAA waiver only applies in the areas covered by the public health emergency declaration, only for the emergency period defined in that declaration, and only for hospitals that have instituted their disaster protocol. The waiver only covers hospitals that meet the above criteria for up to 72 hours after the disaster protocol has been initiated.

Once the presidential or secretarial declaration terminates, the HIPAA waiver also terminates, even for patients still under the care of the hospital and even if 72 hours has not elapsed since implementation of its disaster protocol.

The HHS has also released a decision tool to help hospitals determine how the HIPAA Privacy Rule applies to disclosure of protected health information in emergency situations.

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne