The Secretary of HHS has declared a nationwide public health emergency. The declaration includes a suspension of some of the requirements of the HIPAA Privacy Rule for hospitals to help ease communications between healthcare providers caring for patients in need of coronavirus testing and treatment, patients’ families, and public health authorities.
The Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt-out of the facility directory.
- The requirement to distribute a Notice of Privacy Practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
HHS notes that when the Secretary issues a waiver, it only applies to hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol, although it can be extended. When the emergency declaration ends, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
While the HHS Secretary’s waiver is limited to 72 hours, the declaration will likely be extended. However, even without a waiver, the privacy rule allows patient information to be shared in emergency situations for healthcare treatment or to notify friends and family of the patient [or to make] disclosures to public health authorities.
HIPAA allows healthcare professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition.
There is understandable confusion among healthcare providers and patients over what privacy and security protections are required when using telehealth services during the coronavirus crisis. Under HIPAA, covered entities must implement reasonable safeguards for protected health information (PHI) from unauthorized disclosures. And, PHI may only be used or disclosed in ways allowed under the HIPAA Privacy Rule, like when needed for patient care or other specified purposes.
The HIPAA Security Rule requires that covered entities and business associates must ensure they safeguard the confidentiality, integrity, and availability of e-PHI during a public health crisis, just as they would normally. Healthcare providers and patients need to know that HIPAA’s requirements to keep PHI safe and secure are designed to protect patients in times like the coronavirus crisis.
HHS also provides an emergency preparedness online decision tool to help healthcare and emergency workers determine how the HIPAA Privacy Rule applies to various disclosures during public health emergencies and other crises.
Please contact COVIDfirstname.lastname@example.org if we can assist you with any questions about the requirements of the HIPAA Privacy Rule or to assist you in identifying and complying with the standards and specifications of the rule.
About the AuthorFollow on Twitter