HHS Secretary Issues Directive on HIPAA Privacy During Public Health Emergency

8/31/2017 2:39 PM

Waivers approved for certain provisions of the Health Insurance Portability and Accountability Act Privacy Rule during the public health emergency on the Gulf Coast. Business associates for healthcare providers, including debt collectors, should take note of the waivers.


U.S. Department of Health and Human Services Secretary Tom Price waived sanctions and penalities for covered hospitals in Texas and Louisiana that do not comply with certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as the public health emergency from Hurricane and Tropical Storm Harvey continues.

HIPAA requires healthcare providers to ensure their business associates, such as debt collectors, follow privacy and security requirements of the act.

According to the waiver from HHS, “a business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.”

Specifically, according to HHS, Price waived the following for covered hospitals in Texas and Louisiana:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
  • The requirement to honor a request to opt out of the facility directory;
  • The requirement to distribute a notice of privacy practices;
  • The patient's right to request privacy restrictions; and
  • The patient's right to request confidential communications.

“All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect,” according to HHS.

The waiver also only applies in the “emergency area and for the emergency period identified in the public health emergency declaration; to hospitals that have instituted a disaster protocol; with respect to the provisions identified above; and for up to 72 hours from the time the hospital implements its disaster protocol,” according to HHS.

When the public health emergency ends, “a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.”

Visit the HHS website for more information regarding HIPAA privacy and disclosures in emergency situations and additional details regarding emergency situation preparedness, planning, and response.

ACA International members may find more information about HIPAA and the role of healthcare providers’ business associates through the ACA SearchPoint library. All documents related to HIPAA are available in the SearchPoint library by selecting the HIPAA tab. ACA members must be logged in to the website to access SearchPoint documents.

See previous coverage from ACA for resources on repubtable charities to help those in the path of the storm and for disaster relief. 

Follow ACA on Twitter @ACAIntl and @acacollector or Facebook for news and event updates. ACA’s LinkedIn Group includes news updates, member discussions, event promotions, jobs and more. Visit the group page and request to join today. Subscribe to ACA Daily, Collector magazine and update your email subscription preferences by visiting the publications page. ACA members can get email notifications when each new digital issue of Collector magazine is available by logging in here; members and nonmembers can also purchase a print subscription. Nonmembers can create a guest profile on ACA’s website to subscribe to available publications.




Scroll to Top