April 2018 marks the 15th anniversary of the requirement for most HIPAA covered entities to comply with the Privacy Rule.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the HHS Secretary to establish and publicize standards for the electronic exchange, privacy, and security of health information. April 14, 2003 marked the official compliance date for the HIPAA Privacy Rule. By that date, all HIPAA covered entities (except small health plans) were required to implement standards to protect and guard against the misuse of individually identifiable health information.
Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.
An example of a lesser known provision are the temporary waivers of certain HIPAA Privacy Rule requirements during a declared disaster event. In 2017, the HHS Secretary issued three separate temporary waivers of select HIPAA Privacy Rule requirements in the areas impacted by hurricanes Harvey, Irma, and Maria. During a national or public health emergency, the HHS Secretary may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004, as well as section 1135(b)(7) of the Social Security Act. The waivers apply to hospitals that have implemented a disaster protocol and expire 72 hours afterwards. Common Privacy Rule waivers in these situations include the patient right to request privacy restrictions or confidential communications, distribution of the Notice of Privacy Practices, and opt-out of the facility directory. During a disaster, hospitals need to divert resources to the response and away from administrative concerns, so these waivers are a big relief operationally.