The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties due to the nationwide public health emergency caused by COVID-19.
The waiver became effective on March 15, 2020 in response to President Trump's decleration of a nationwide emergency concerning COVID-19, and the Secretary of HHS Alex Azar's earlier declaration of public health emergency on January 31, 2020. The waiver gives a covered hospital some relief if it does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
Of note is the waiver only applies under three conditions:
- In the emergency area identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol
The purpose of enacting the waiver is to make sure the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care. There has been recent precedent of the limited waiver being used in similar emergency situations for Puerto Rico Earthquakes and for Tropical Storm Barry.
Additional Reading: HIPAA Compliant Email: The Definitive Guide