Healthcare Information Security

HIPAA and Compliance News

Azar Issues 2nd HIPAA Privacy Rule Waiver in As Many Months

As in the case of Hurricane Florence, HHS Secretary Alex Azar has waived sanctions and penalties under certain HIPAA Privacy Rule provisions for areas impacted by Hurricane Michael.

HIPAA Privacy Rule

Source: Thinkstock

By Fred Donovan

- As in the case of Hurricane Florence, HHS Secretary Alex Azar has waived sanctions and penalties under certain HIPAA Privacy Rule provisions for areas impacted by Hurricane Michael.

The waiver is intended to enable greater information sharing in response to Hurricane Michael, which devasted the Panhandle of Florida and caused significant damage in Georgia. Azar has declared a public health emergency (PHE) in those states, following the presidential disaster declaration.

“This waiver applies only to the emergency area and for the emergency period identified in the PHE declaration and only to hospitals that have instituted a disaster protocol. Qualifying hospitals can take advantage of the waiver for up to 72 hours from the time the hospital implements its disaster protocol unless the PHE declaration terminates first,” explained OCR in a release.

The same HIPAA Privacy Rule provisions are waived for Hurricane Michael as were waived for Hurricane Florence:

  • Requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
  • Requirement to honor a request to opt out of the facility directory
  • Requirement to distribute a notice of privacy practices
  • Patient's right to request privacy restrictions
  • Patient's right to request confidential communications

So far, HHS has issued HIPAA Privacy Rule waivers in the following emergencies: the 2017 California Wildfires and Hurricanes Michael, Florence, Maria, Irma, Harvey, and Katrina.

OCR related that the HIPAA Privacy Rule contains provisions designed to deal with emergencies, even when a waiver is not issued.

As described in a recent feature, these provisions include:

Treatment: Covered entities can disclose, without the patient’s authorization, PHI as necessary to treat the patient or to treat another person.

Public health activities: Covered entities can disclose PHI without authorization to a public health authority, to a foreign government at the direction of a US public health authority, and to people at risk of contracting or spreading a disease, state law permitting.

Disclosures to family, friends, or others involved in patient care: Covered entities can share PHI with a patient’s family, members, relatives, friends, or other people identified by the patient as involved in his or her care. They also can share information about a patient to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care. This information may include the patient’s location, general condition, or death.

Disclosures to prevent an imminent threat: Covered entities can share PHI to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public at large. A provider may disclose a patient’s PHI to anyone who can prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.

Disclosures to media or others not involved in patient care: Covered entities may release limited facility directory information to acknowledge someone is a patient and provide basic information about the patient’s condition in general terms. However, this requires that the patient has not objected to or restricted the release of that information or, if the patient is incapacitated, that the covered entity believes release of the information is in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

Minimum necessary: Covered entities must make reasonable effort to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

business associate (BA) may disclose patient information as permitted by the Privacy Rule to a public health authority on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Dave Gacioch, a healthcare attorney with McDermott Will & Emery, offered some good advice for healthcare organizations dealing with an emergency like Hurricane Michael: “As a general rule of thumb, my guidance to our healthcare provider clients would be that HIPAA largely still applies in an emergency. But do what's in the best interests of your patients and your community and that will usually put you on the right track to meet your compliance obligations in a disaster situation.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...