Health Information Compliance Alert

Published on Thu Sep 13, 2018 PDF

Review the 1135 Waiver specifics for HIPAA questions after a disaster.

Pocket this who, what, when, where, and why of a Public Health Emergency (PHE) and how to address HIPAA for times of need.

WHO: After the President of the United States establishes an emergency under the Stafford Act, the HHS Secretary declares a PHE.

WHAT: The HHS Secretary determines there’s a PHE under Section 319 of the Public Health Service Act (PHSA).

WHEN: A Section 319 PHE is good for a duration of 90 days, but it may be shortened by the HHS Secretary if it’s determined an emergency no longer exists.

WHERE: The PHE covers the state and/or local areas referenced in the HHS Secretary’s declaration under Section 319 of the PHS Act only.

WHY: The Secretary determines that there’s a high risk of disease and disorder due to the emergency or disaster. The hazards must be significant enough to declare the PHE in the first place. And that’s why Under Section 319 of the PHSA, the HHS Secretary then can offer grants, do investigations, support state and local healthcare efforts, and waive certain federal requirements that may be compromised due to the disaster.

Register How HIPAA Evolves Under the PHE

A declaration of a PHE eases the privacy rules under HIPAA, but both the President and the HHS Secretary must weigh in before disclosures are allowed. Once the President declares an emergency or disaster under the Stafford Act or the National Emergencies Act and the HHS Secretary declares a PHE under the Public Health Service Act, providers can then use those determinations to utilize the 1135 Waiver outlined in the Social Security Act.

Blanket waiver: Some “sanctions and penalties” are also waived by the HHS Secretary for covered entities (CEs) under a PHE determination. Here is a list of the HIPAA Privacy Rule specifics that are eligible for waiver in a PHE, according to the HHS Office of Civil Rights (OCR) guidance:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. (45 CFR, part 164.510[b])
• The requirement to honor a request to opt out of the facility directory. (45 CFR, part 164.510[a])
• The requirement to distribute a notice of privacy practices. (45 CFR, part 164.520)
• The patient’s right to request privacy restrictions. (45 CFR, part 164.522[a])
• The patient’s right to request confidential communications. (45 CFR, part 164.522[b])

Warning: Remember that just because the feds issue an 1135 blanket waiver doesn’t mean that you shouldn’t still be following mandates. In fact, CEs must try to follow HIPAA as closely as possible, protecting patients’ privacy.

Although HIPAA permits disclosures of PHI without patient authorization for public health activities and emergencies, you “cannot disregard a patient’s right to privacy in those cases where a patient’s information has been the subject of a public health report,” cautions attorney Laurie Cohen of Nixon Peabody LLP in Albany, New York in a blog posting.

Note: Read the OCR’s advice for HIPAA in a PHE at www.hhs.gov/hipaa/for-professionals/faq/1068/is-hipaa-suspended-during-a-national-or-public-health-emergency/index.html.