March 24, 2020 

HHS Issues a Limited Waiver Of HIPAA Privacy Rule Sanctions and Penalties in the Midst of the COVID-19 Pandemic

by Amanda ColeApril Walkup, and Ann Ford

In response to the evolving COVID-19 pandemic, the Department of Health and Human Services (HHS) Secretary Alex Azar issued a limited waiver of the sanctions and penalties of certain HIPAA Privacy Rules. Effective March 15, 2020 at 6:00 p.m., a covered hospital will not be subject to sanctions or penalties arising from noncompliance with the following provisions of the privacy rule:
  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.
The waiver applies nationwide since Secretary Azar declared a nationwide public health emergency on January 31, 2020. However, the waiver only applies to hospitals that have instituted a disaster protocol, and the waiver expires 72 hours after the hospital’s disaster protocol was implemented.

The waiver will end after the national emergency and/or public health emergency have terminated, or 60 days after the waiver was first published (1). The Secretary has the authority to extend the waiver for periods of up to 60 days.

In addition to the limited waivers, HHS continues to remind covered entities what are permissible uses and disclosures of protected health information (PHI). The HIPAA Privacy Rule does allow disclosure of a patient’s PHI without his or her authorization for the following limited circumstances:
  1. Treatment: Covered Entities may disclose a patient’s PHI as necessary to treat the patient or to treat a different patient. Keep in mind that treatment also includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
  2. Public Health Activities: Covered Entities may disclose a patient’s PHI as necessary to a public health authority (CDC, state, or local health department) for the purpose of preventing or controlling disease, injury, or disability. It is also permissible for a covered entity to disclose PHI to a foreign government agency if it is done at the behest of a public health authority that is working in collaboration with the foreign government agency. Finally, Covered Entities may disclose PHI to a person who is at risk of contracting or spreading a disease if other laws authorize the notification to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
  3. Disclosures to Family, Friends, and Others Involved in Individual’s Care: Covered Entities may disclose PHI to individuals who are involved in the patient’s care, including the patient’s family members, relatives, friends, or other persons identified by the patient. Covered Entities are also permitted to share information about a patient with the police, press, or public at large in order to identify, locate, and notify family members or others responsible for the patient’s care of the patient’s location, condition, or death. When possible, covered entities should try to obtain verbal permission from the patient before making these types of disclosures. If a patient is unconscious or incapacitated, health care providers must use professional judgment to determine if it is in the best interest of the patient to share the relevant information.
  4. Disclosures to Prevent a Serious and Imminent Threat: Covered entities may share a patient’s information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Again, HIPAA defers to the professional judgment of health professionals in making the determination that this type of disclosure is necessary.
  5. Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification: A Covered Entity must obtain a patient’s written authorization before it can report to the media or public at large about the patient’s PHI. This includes test results or details of the patient’s illness. If a patient is incapacitated, a covered entity may disclose PHI of the patient if it is believed to be in the best interest of the patient.
Covered Entities must also keep in mind the minimum necessary requirement with any disclosures that are made. This rule requires covered entities to only use or disclose the minimum amount of PHI to satisfy a particular purpose or carry out a function. Minimum necessary requirements do not apply to disclosures that are made for treatment purposes, and covered entities can reasonably rely on representations that a public health authority is only requesting the minimum necessary amount of information to serve the organization’s purposes.

Although the Privacy Rule has been at the forefront of HHS’ most recent bulletins and notices, covered entities must also continue to implement reasonable and appropriate administrative, physical, and technical safeguards to protect patients’ electronic PHI and remain compliant with the HIPAA Security Rule.

(1) The Waiver or Modification of Requirements Under Section 1135 of the Social Security Act, which included the limited HIPAA waivers, was first published on March 13, 2020.