Hurricane Helene tore through the Southeastern United States from September 26-28, dumping nearly 30 inches of rain in some western North Carolina communities and causing catastrophic flooding, mudslides and wind damage along its path through Florida, Georgia, South Carolina, North Carolina, and Tennessee.  After President Biden declared states of emergency in Florida, Georgia, and North Carolina, Xavier Becerra, the Secretary of the Department of Health and Human Services, declared a public health emergency in each state and issued bulletins outlining limited waivers of HIPAA sanctions and penalties to enable affected hospitals in those states to focus on identifying and caring for patients during the emergency. 

Based on the limited waivers, affected hospitals in the emergency areas  will not be penalized for failing to: (1) obtain a patient's agreement for hospital personnel to speak with family members or friends involved in the patient’s care; (2) honor a request to opt out of the hospital's directory; (3) distribute a notice of privacy practices; (4) honor a patient's right to request privacy restrictions; or (5) honor a patient's right to request confidential communications. 

The bulletins explain that the Secretary’s waiver is limited to the area and the time period identified in the emergency declaration, and to hospitals that have instituted a disaster protocol for up to 72 hours from their institution of that protocol.  If the disaster declaration is terminated before the 72-hour period, the waiver also terminates, but disaster declarations may be (and often are) renewed. 

Waiving these five HIPAA Privacy Rule requirements for hospitals during emergencies is a practical approach. Respecting individual patient choice about opting out of the facility directory and assuring that a new patient receives a copy of the hospital's notice of privacy practices is important under normal circumstances. During emergencies, however, health care providers need to focus on meeting patient care needs, assuring patient safety, and communicating with family members if and as needed under the circumstances instead of delaying communications to consider whether the patient has expressed privacy preferences that might interfere with such care or safety concerns. Such waivers permit hospitals to more efficiently and effectively continue patient care and emergency or disaster relief operations.   

As the 2024 hurricane season continues, hospitals should maintain an updated disaster protocol for implementation during emergencies. If future hurricanes result in emergency declarations, it is likely that Secretary Becerra again will exercise the option to authorize a waiver of these HIPAA Privacy Rule requirements—but only for those hospitals that have instituted their disaster protocols.