Healthcare Information Security

HIPAA and Compliance News

Another Major Storm, Another HHS HIPAA Privacy Rule Waiver

HHS Secretary Alex Azar has issued another HIPAA Privacy Rule waiver for US territory the Northern Marianas Islands, which was devastated by Super Typhoon Yutu this week.


Source: Thinkstock

By Fred Donovan

- HHS Secretary Alex Azar has issued another HIPAA Privacy Rule waiver for US territory the Northern Marianas Islands, which was devastated by Super Typhoon Yutu this week.

Super Typhoon Yutu was a Category 5 storm when it hit the Northern Marianas Islands, with sustained winds of 180 mph. Electricity and phone services has been knocked out on the islands.

This brings to three the number of HIPAA waivers Azar has issued in the last two months. Last year, the HHS secretary issued four HIPAA waivers; three for Hurricanes Maria, Irma, Harvey and one for the California Wildfires.

According to the Oct. 25 HHS bulletin, the HHS secretary “has declared a public health emergency in the Commonwealth of the Northern Marianas Islands, a U.S. territory, due to damage from Super Typhoon Yutu following the President’s declaration that a disaster exists in these areas. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b).”

The HIPAA Privacy Rule contains provisions designed to deal with emergencies, even when a waiver is not issued. These provisions, as summarized in a recent feature, include:

Treatment: Covered entities can disclose, without the patient’s authorization, PHI as necessary to treat the patient or to treat another person.

Public health activities: Covered entities can disclose PHI without authorization to a public health authority, to a foreign government at the direction of a US public health authority, and to people at risk of contracting or spreading a disease, state law permitting.

Disclosures to family, friends, or others involved in patient care: Covered entities can share PHI with a patient’s family, members, relatives, friends, or other people identified by the patient as involved in his or her care. They also can share information about a patient to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care. This information may include the patient’s location, general condition, or death.

Disclosures to prevent an imminent threat: Covered entities can share PHI to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public at large. A provider may disclose a patient’s PHI to anyone who can prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.

Disclosures to media or others not involved in patient care: Covered entities may release limited facility directory information to acknowledge someone is a patient and provide basic information about the patient’s condition in general terms. However, this requires that the patient has not objected to or restricted the release of that information or, if the patient is incapacitated, that the covered entity believes release of the information is in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

Minimum necessary: Covered entities must make reasonable effort to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

business associate (BA) may disclose patient information as permitted by the Privacy Rule to a public health authority on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

“Those are the provisions that allow you to disclose information to law enforcement in order to identify people, to disaster assistance entities like The Red Cross, and to public health entities,” Melissa Markey, an attorney with the law firm of Hall, Render, Killian, Heath & Lyman, told in the feature article.

“Those provisions apply all the time. You don't need to look for a waiver or notification from HHS to use those provisions,” Markey concluded.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...