Some HIPAA Requirements Waived for Hospitals in Response to Coronavirus

March 17, 2020 David Holtzman

The Secretary of HHS has declared a nationwide public health emergency. The declaration includes a suspension of some of the requirements of the HIPAA Privacy Rule for hospitals to help ease communications between healthcare providers caring for patients in need of coronavirus testing and treatment, patients’ families, and public health authorities.

The Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  1. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  2. The requirement to honor a request to opt-out of the facility directory.
  3. The requirement to distribute a Notice of Privacy Practices.
  4. The patient’s right to request privacy restrictions.
  5. The patient’s right to request confidential communications.

HHS notes that when the Secretary issues a waiver, it only applies to hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol, although it can be extended. When the emergency declaration ends, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

While the HHS Secretary’s waiver is limited to 72 hours, the declaration will likely be extended. However, even without a waiver, the privacy rule allows patient information to be shared in emergency situations for healthcare treatment or to notify friends and family of the patient [or to make] disclosures to public health authorities.

HIPAA allows healthcare professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition.

There is understandable confusion among healthcare providers and patients over what privacy and security protections are required when using telehealth services during the coronavirus crisis. Under HIPAA, covered entities must implement reasonable safeguards for protected health information (PHI) from unauthorized disclosures. And, PHI may only be used or disclosed in ways allowed under the HIPAA Privacy Rule, like when needed for patient care or other specified purposes.

The HIPAA Security Rule requires that covered entities and business associates must ensure they safeguard the confidentiality, integrity, and availability of e-PHI during a public health crisis, just as they would normally. Healthcare providers and patients need to know that HIPAA’s requirements to keep PHI safe and secure are designed to protect patients in times like the coronavirus crisis.

HHS also provides an emergency preparedness online decision tool to help healthcare and emergency workers determine how the HIPAA Privacy Rule applies to various disclosures during public health emergencies and other crises.

Please contact COVID-19@cynergistek.com if we can assist you with any questions about the requirements of the HIPAA Privacy Rule or to assist you in identifying and complying with the standards and specifications of the rule.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Article
OCR Allows Internet Apps for Telehealth During COVID-19 Emergency
OCR Allows Internet Apps for Telehealth During COVID-19 Emergency

In a pair of sweeping directives that will have far reaching implications for healthcare providers and thei...

Next Article
OCR Allows Use of Videoconferencing During Coronavirus Emergency
OCR Allows Use of Videoconferencing During Coronavirus Emergency

Healthcare providers may provide treatment services to patients using a variety of non-public facing telehe...