As it had done for Hurricane Harvey in Texas and Louisiana, and
for Hurricane Irma in Florida, the U.S. Department
of Health and Human Services (HHS) issued a limited waiver
of HIPAA sanctions and penalties for covered entities in
Puerto Rico and the U.S. Virgin Islands in the aftermath of Hurricane Maria.
The waivers are primarily intended to relax some of the
administrative requirements under the HIPAA Privacy Rule for 72
hours, to lessen the administrative burden on hospitals immediately
after a disaster protocol was instituted. The waivers thereby give
hospitals in the emergency area a better chance to catch up with a
sudden influx of patients.
However, the majority of HHS's four-page hurricane bulletin
template is devoted to reminding people of HIPAA provisions that
already existed. For example, in an emergency, a hospital may
share a patient's information for legitimate public health
reasons without his or her authorization, or inform third parties
or the general public in certain situations that someone is a
patient at the facility. Facilities already had broad flexibility
to communicate with patients' relatives and friends, relief
organizations, and the general public as necessary or
appropriate.
Just as the number of recent enforcement actions for HIPAA
violations indicates that certain requirements are still
not fully appreciated by some healthcare providers, in issuing the
hurricane bulletins, HHS clearly wanted to remind
providers that in other respects, HIPAA is already more
flexible than many realize.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.