After hurricane Katrina and Rita, DHHS has reviewed its guidance so that the families searching for loved ones in disasters like hurricane, tornado, earthquake or unnatural disasters, do not have to face HIPAA privacy roadblocks.
If an emergency or disaster is declared by the President or if a public health emergency is declared by the secretary of HHS, certain sanctions and penalties may be waived by the secretary against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.
These waivers apply only to
1. Hospitals in the emergency area and for the emergency period identified in the public health emergency declaration.
2. Hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.
3. For up to 72 hours from the time the hospital implements its disaster protocol.
These waivers may be listed down as:
1. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));
2. The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));
3. The requirement to distribute a notice of privacy practices (45 CFR 164.520);
4. The patient’s right to request privacy restrictions (45 CFR 164.522(a)); and
5. The patient’s right to request confidential communications (45 CFR 164.522(b)).
However, as soon as the presidential or secretarial declaration terminates, a hospital must then comply with all requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.