Hurricanes and HIPAA

September 14, 2018

The Secretary of HHS has declared

a public health emergency in North Carolina, South Carolina, and Virginia following the President’s declaration that a disaster exists in the area as a result of Hurricane Florence. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:


  • The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. (45 CFR 164.510(b)).

  • The requirement to honor a request to opt out of the facility directory. (45 CFR 164.510(a)). 

  • The requirement to distribute a notice of privacy practices. (45 CFR 164.520).

  • The patient's right to request privacy restrictions. (45 CFR 164.522(a)).

  • The patient's right to request confidential communications. (45 CFR 164.522(b)).


When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.


Read OCR's Bulletin on Hurricane Florence


CentraVance Consulting can help your organization comply with the Disaster Recovery Requirements of the HIPAA Rules. For more information, visit or call 804-977-1201.



Please reload

Recent Posts

Please reload


Please reload



©2017 by CentraVance Consulting, LLC.