Is the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) suspended during a national or public health emergency?

Answer:

No, the Security Rule is not suspended during a national or public health emergency. The Secretary of HHS may waive sanctions and penalties arising from certain provisions of the Privacy Rule under the Project BioShield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act if the President declares an emergency or disaster and the Secretary declares a public health emergency.  However, these provisions have no application to the Security Rule. The Security Rule includes requirements for covered entities to ensure the confidentiality, integrity and availability of all electronic protected health information they create, receive, maintain or transmit. The rule further requires that covered entities protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI (45 CFR §164.308(a)(7)(i)). As with all HIPAA-related complaints, the Office for Civil Rights will evaluate complaints that arise during the course of a national or public health emergency on a case-by-case basis and exercise its discretion in taking enforcement action.  For more information on suspension of the Privacy Rule during a national or public health emergency, please see FAQ #1068.