HHS Secretary Waives Certain HIPAA Privacy Rule Provisions for Texas and Louisiana Hospitals
In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient's right to request privacy restrictions
- The patient's right to request confidential communications
Other provisions of the Privacy Rule continue to apply, even during the waiver period.
When the Secretary issues such a waiver, it only applies:
(1) in the emergency area and for the emergency period identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol;
3) with respect to the provisions identified above; and
(4) for up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect.
Want to read the full alert and receive alert emails?