Skip to main content
09.18.2017 Health Care Data Aware Blog

Recent Guidance from OCR Focuses on Hurricanes Harvey and Irma

With the recent focus on the devastating hurricanes Harvey and Irma, the Department of Health and Human Services (HHS) has been heavily involved with supporting the recovery efforts. The Office for Civil Rights (OCR) has contributed by publishing guidance on the limited “HIPAA waiver” for certain providers affected by Hurricane Harvey, as well as avoiding fake charities looking to take advantage of donors.

OCR’s August 2017 Cybersecurity Newsletter warns covered entities and business associates of potential scams where fake charities set themselves up online and seek donations from well-meaning individuals looking to donate to disaster recovery efforts. These criminals may not just steal your credit card information, they may also use malware to cause more damage to your device or system. OCR lists tips to identify and avoid becoming a victim, including the following:

  • “Most legitimate charities maintain websites ending in ‘.org’ rather than ‘.com’.
  • Do not respond to any unsolicited incoming emails or text messages, by clicking links or downloading files contained within those messages.
  • Be cautious of organizations with copycat names similar to but not exactly the same as those of reputable charities.”[i]

The newsletter also describes a set of best practices for covered entities and business associates to use to train their employees on how to respond to suspicious contacts that they may field via phone or email, as well as a few tips from the Federal Trade Commission on what could indicate a fraudulent charity or fundraiser.

In addition, HHS Secretary Price issued a “Waiver or Modification of Requirements Under Section 1135 of the Social Security Act” both for Hurricane Harvey, for affected areas in Texas and Louisiana, and for Hurricane Irma, including areas in Florida, Puerto Rico and the U.S. Virgin Islands.[ii] These declarations waive potential sanctions or penalties related to compliance with certain HIPAA requirements, but are limited to only those areas and requirements specifically waived in the declaration, and only for a specific, limited amount of time. For example, the Waiver issued on September 6, 2017, for Hurricane Irma, states as follows:

“I hereby waive sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations:  (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (as set forth in 45 C.F.R. § 164.510); (b) the requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (as set forth in 45 C.F.R. § 164.522); but in each case, only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect.”[iii]

With respect to HIPAA waivers, the terms of the waiver are effective for 72 hours from the time the hospital initiates its disaster protocol, or when the Secretary terminates the declaration, whichever is sooner.[iv] The HIPAA Bulletin released during Hurricane Harvey also reminds providers of how other Privacy Rule requirements related to certain permitted HIPAA disclosures, including those for treatment, public health, and to family, friends and others involved in the patient’s care can help facilitate treatment and care of patients in the unique post-natural disaster environment.[v] As you can see, this limited waiver is intended to allow hospitals to facilitate care in emergency conditions, while attempting to retain the privacy rights of individuals as much as possible.

[i] “August 2017: Protecting yourself from potential scammers while being charitable,”
[ii] “Waiver or Modification of Requirements Under Section 1135 of the Social Security Act in the Commonwealth of Puerto Rico and the territory of the U.S. Virgin Islands as the Result of Hurricane Irma,” September 6, 2017, available at
[iii] Id.
[iv] “Hurricane Harvey and HIPAA Bulletin: Limited Waiver of Sanctions and Penalties During a Declared Emergency,” August 2017, available at
[v] Id.