HIPAA is not waived during natural disasters, and healthcare organizations must still comply with HIPAA regulations.
However, the Department of Health and Human Services (HHS) recognizes the need for flexibility during disasters to ensure patient safety and continuity of care. In these specific circumstances, the HHS Secretary may declare a public health emergency and exercise the authority to waive PHI without patient authorization. These waivers are temporary and limited to certain geographic areas and timeframes and are intended to facilitate healthcare services and emergency response efforts.
The legal foundation for these measures is established in Section 1135 of the Social Security Act, which grants the authority to make exceptions or adjustments to specific healthcare requirements in emergency situations.
As stated by the HHS, "If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:"
The HIPAA waivers are deliberately designed to be limited in extent, with a particular focus on addressing the unique circumstances of the emergency at hand.
During a declared public health emergency, healthcare providers may be permitted to disclose protected health information (PHI) without patient authorization for the following purposes:
It's important to note that these disclosures are subject to specific conditions and restrictions to maintain patient privacy and public health needs.
While HIPAA waivers provide some flexibility during natural disasters, healthcare organizations must still take steps to safeguard PHI and maintain compliance, such as:
Following Hurricane Idalia in Florida and the Maui wildfires, President Biden and HHS Secretary Becerra declared a state of emergency and public health emergency in both locations, responding to significant losses.
These declarations led to various actions, including waiving HIPAA regulations to enhance crisis response, allowing healthcare providers greater flexibility in patient care without compromising privacy and security standards.
While these measures grant more flexibility in emergency healthcare and natural disasters, they are temporary and do not exempt providers from privacy laws; they serve to improve crisis response.
Go deeper: