Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm.  Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane.  The focus of the guidance is that HIPAA should not impede patient care in a disaster situation.

In the guidance, Alex Azar, the Secretary of HHS, stated that during the public health emergency HHS will waive sanctions and penalties for certain provisions under HIPAA.  For example, covered entities will not be responsible for: (1) the requirement to honor a request to opt out of a facility directory; (2) the requirement to distribute a notice of privacy practices; (3) the patient’s right to request privacy restrictions; (4) the patient’s right to request confidential communications; and (5) giving patients the opportunity to agree or object to sharing information with family members or friends involved in the patient’s care.  This waiver only applies in the area identified by the public health emergency declaration and lasts for 72 hours only to those hospitals that instituted disaster protocol.  Additionally, the guidance makes clear that when hospitals deal with disaster relief organizations such as the Red Cross, it is unnecessary to obtain a patient’s permission before sharing health information with such organization, if doing so would interfere with such organization’s capability to respond to the disaster.

OCR further reminded everyone that even without this emergency waiver, HIPAA contains several provisions to allow covered entities to share patient information in the event of a disaster. OCR has issued similar guidance following mass shooting events, like the Pulse tragedy in Orlando.  Despite this waiver, covered entities should continue to safeguard patient information and employ the use of administrative, physical and technical safeguards.

Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.