Effective March 15, 2020, certain hospitals that fail to comply with specific HIPAA Privacy Rule requirements will not be subject to HIPAA sanctions and penalties, according to a “COVID-19 & HIPAA Bulletin” issued by U.S. Health and Human Services Secretary Alex M. Azar. The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020.
Note that this HIPAA waiver is limited. It only applies to (1) hospitals located in an emergency area identified in a public health emergency declaration; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital institutes its disaster protocol . When President Trump’s or Secretary Azar’s emergency declaration ends, the HIPAA waiver will end.
In addition, the HIPAA waiver only applies to the following specific HIPAA Privacy Rule requirements:
- obtaining the patient’s consent to speak with family and friends involved in patient care as per 45 C.F.R. 164.510(b)
- honoring the patient’s request to opt out of being included in the facility directory as per 45 C.F.R. 164.510(a)
- distributing the Notice of Privacy Practices to patients as per 45 C.F.R. 164.520
- giving individuals the right to request restrictions on the use or disclosure of their protected health information as per 45 C.F.R. 164.522(a)
- honoring the individual’s right to restrict disclosure of protected health information to a health plan as per 45 C.F.R. 164522(b)
The Bulletin reiterates many of the points addressed in HHS’s February 3, 2020 Bulletin on HIPAA and COVID-19, discussed here in a prior post. The bottom line? HIPAA remains in place during emergencies, except for a limited set of covered entities and with respect to limited provisions of the HIPAA Privacy Rule as described above.