HIPAA Compliance News

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

Posted by HIPAA Journal

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management.

Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord.

Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats.

HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the workshops specifically focused on small healthcare providers.

The initiative runs alongside HITRUST’s Community Extension Program that was launched earlier this year, with the workshops taking place in the two hours prior to the HITRUST Community Extension Program events, which are taking place in 50 cities across the United States.

HITRUST explained, “Many clinics, physician offices, and other small providers are looking for local, community-based resources to help guide them through the journey of establishing governance and risk management programs to avoid a cyber-related breach or event that would disrupt their organization and expose the confidential information of their patients or members.” One of the aims of the workshops is to make good cyber hygiene manageable for small healthcare providers.

These workshops will provide the information small healthcare providers need to make significant improvements to their cybersecurity posture and help them meet the requirements of the HIPAA Security Rule.

While many topics will be covered in the workshops, they will be primarily focused on teaching the fundamentals of good cyber hygiene, explaining the need for cyber and HIPAA risk assessments, and will cover cost-effective technologies that can be implemented to improve cyber security.

“Trying to determine the best way to secure my practice from cyber threats was a significant – and at times, overwhelming – undertaking,” said Dr. J. Stefan Walker, a practicing physician in a small practice in Corpus Christi, TX. “Many existing cybersecurity resources and education programs are geared toward larger health care organizations and are not practical for a practice with only a handful of employees.” These workshops will help small healthcare organizations by providing relevant, useful, and practical advice specific to practices of their size.

The first workshop is being hosted by Children’s Health in Dallas, TX and will take place on October 9. Details of further events will be posted on the HITRUST website.

The post HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance appeared first on HIPAA Journal.

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands.

As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has elapsed, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care.

Further information on the HIPAA waiver in relation to Hurricane Maria can be viewed here.

In an emergency situation, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly necessary, although such a waiver does offer some reassurance to covered entities that are operating in a disaster area.

The HHS has pointed out in its recent communication that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help identify patients, to help locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or controlling disease, injury or disability.

PHI can also be shared for the purposes of treatment, either the treatment of the patient or another person who may be affected by the same situation, as well as to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to make a determination about the nature and severity of the threat to health – 45 CFR 164.512(j).

Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).

When others not involved in the treatment of a patient, including the media, request information about a specific patient by name, a HIPAA-covered entity is permitted to disclose “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private.

In all cases, any disclosures must be limited to the minimum necessary information to achieve the purpose for which the information is disclosed. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.

The post HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone appeared first on HIPAA Journal.

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has launched a new campaign to raise awareness of patients’ right to access their health information and the benefits of doing so.

The “Information is Powerful Medicine” campaign informs patients that they have the right to obtain copies of their health data and tells them to “Get it. Check it. Use it.”

The benefits to patients are clear. If they obtain copies of the health information they can check their medical records for errors and correct any mistakes. Having access to health data helps patients to make better decisions about their health care and discuss their health more fully with their providers. Armed with their health data, patients can do more to stay healthy.

Patients are advised that the HIPAA Privacy Rule allows them to obtain a physical or electronic copy of their health data and that their provider should provide the information as requested within 30 days. It has been explained that they may be charged a nominal fee for obtaining a copy of their health data. Patients are also informed that copies of their health data cannot be denied by their providers, even if there is a medical bill outstanding.

Healthcare providers should encourage their patients to take greater interest in their own healthcare and obtain copies of their health records. OCR has produced a range of resources for healthcare providers to use to achieve this aim, including brochures, web banners, and posters.

The OCR resources can be accessed on this link: HIPAA Right to Access Health Information.

Healthcare providers should make it as easy as possible for patients to request copies of their health data. To make the process as easy as possible, consider using the model PHI request form developed by AHIMA. The form helps healthcare providers streamline the request process and ensure all necessary information is obtained from patients.

The post OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

Posted by HIPAA Journal

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Posted by HIPAA Journal

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.

Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare.

OCR has explained that the HIPAA Privacy Rule was carefully created to ensure that in emergency situations, healthcare organizations can protect the privacy of patients and still share individually identifiable health information.

OCR also reconfirmed that even in emergency situations, the HIPAA Security Rule is not suspended and preparation for emergencies is essential. HIPAA-covered entities and business associates are required to implement strategies to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not placed in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all eventualities to ensure patient health information can always be accessed.

OCR explained that the HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan. These are all required elements of the HIPAA Security Rule.

The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained. The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly recovered. During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures.

Further, there are two addressable requirements: testing and revision procedures and application and data criticality analysis. Covered entities should periodically test their contingency plans and revise them as necessary to ensure they continue to be effective in an emergency situation. Covered entities should also identify software applications that store, maintain or transmit ePHI, and assess how important each is to business needs. Priorities must be set for data backup, emergency operations, and disaster recovery.

OCR has drawn attention to an interactive decision tool on the HHS website that has been developed to help healthcare organizations prepare for the worst and find out how HIPAA Rules apply in emergency situations. OCR explains, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”

While the reminders have been issued specifically to help covered entities prepare for when hurricane Irma makes landfall, even covered entities unlikely to be affected must ensure they are prepared for the worst.

The post OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters appeared first on HIPAA Journal.

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Posted by HIPAA Journal

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations of the dangers of failing to follow HIPAA Rules.

When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules.

At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”

Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA Rules. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”

Severino also explained that the number of complaints OCR is now receiving is colossal. More than 20,000 complaints about security incidents and privacy violations are received each year. OCR has many staff issuing technical assistance to help covered entities with their compliance programs.  The goal is to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the country.

The majority of HIPAA violations are resolved through technical assistance and voluntary compliance, but financial penalties are appropriate for egregious breaches of HIPAA Rules.

Already this year, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty:

2017 HIPAA Enforcement Actions

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)
  • Cardionet – $2.5 million
  • Memorial Hermann Health System (MHHS) – $2.4 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000
  • Metro Community Provider Network – $400,000
  • Luke’s-Roosevelt Hospital Center Inc. – $387,000
  • The Center for Children’s Digestive Health – $31,000

The largest HIPAA settlement of 2017 was agreed with Memorial Healthcare System – a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.  The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.

The second largest HIPAA settlement of 2017 was for $2.5 million and resolved multiple potential violations of HIPAA Rules that contributed to a breach of 1,391 patient records. The incident involved the theft of an unencrypted laptop computer from healthcare services provider Cardionet. The settlement underscored the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.

In May, OCR announced a $2.4 million settlement with Memorial Hermann Health System. The settlement resolved HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.

In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The incident that triggered the investigation involved the theft of an unencrypted pen drive containing the PHI of 2,209 individuals. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.

The civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. The settlement resolves HIPAA failures that contributed to a breach of 3,800 records involving the loss of an unencrypted Blackberry device in 2009 and the loss of an unencrypted laptop containing 2,462 records in 2013.

There has been a period of quiet on the enforcement front over the summer, with the last settlement announced in May. The fall is likely to see more settlements announced and this year looks on track to be another record year for HIPAA enforcement. The big, juicy egregious breach that OCR is looking for may prove to be the largest HIPAA penalty yet.

The post OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017 appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.