HHS Issues Limited Waivers of HIPAA Sanctions and Penalties for Hospitals in Response to COVID-19
In Short
The Situation: The Health Insurance Portability and Accountability Act ("HIPAA") imposes limits on how hospitals may communicate with families and friends of patients, as well as the general public, and provides patients with certain rights to prohibit or limit those communications. As a result, HIPAA can present a significant obstacle for hospitals responding to potential coronavirus (COVID-19) exposures and attempting to reach out to others who may have also been exposed.
The Result: In response to the current COVID-19 nationwide public health emergency, the U.S. Department of Health and Human Services ("HHS") will temporarily waive penalties and sanctions against hospitals when not providing patients with certain rights normally required by HIPAA related to restricting communications about the patient to family, friends, and the general public.
Looking Ahead: During this emergency, the waiver will likely encourage hospitals to proactively communicate with patients' family, friends, and community to warn of and identify potential COVID-19 exposures without being limited by patients' exercising their privacy rights under HIPAA.
Following the recent Presidential declaration of a national emergency and HHS's declaration of a nationwide public health emergency in response to the COVID-19 pandemic, HHS issued a bulletin, on March 16, 2020, entitled "COVID-19 & HIPAA Bulletin" ("Bulletin") that temporarily lessens the burden on hospitals to comply with certain obligations under HIPAA to facilitate the hospitals' response to potential COVID-19 exposures. The Bulletin waives sanctions and penalties under HIPAA against a covered hospital that does not comply with certain provisions of HIPAA's Privacy Rule.
Specifically, while the HIPAA Privacy and Security Rules generally remain in effect during this public health emergency, effective as of March 15, 2020, HHS is waiving sanctions and penalties against a hospital associated with the following provisions of the Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. See 45 CFR 164.510(b)
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a)
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
These waivers will apply only: (i) in the emergency area identified in the public health emergency declaration; (ii) to hospitals that have instituted a disaster protocol; and (iii) for up to 72 hours from the time the hospital implements its disaster protocol. However, when the emergency declaration terminates, a hospital will again be subject to all requirements of the Privacy Rule for any patient still under its care (even if the 72 hours have not elapsed since implementation of its disaster protocol).
The Bulletin also outlines multiple ways that the HIPAA Privacy Rule allows disclosures of patient information in emergency situations even without a waiver.
Despite the flexibility under HIPAA provided by these limited waivers for covered hospitals responding to the COVID-19 pandemic, covered hospitals and their business associates otherwise remain subject to both the Privacy Rule and the administrative, physical, and technical safeguards of the HIPAA Security Rule. The Bulletin is limited to hospitals that have instituted a disaster protocol and not all covered entities under HIPAA (e.g., skilled nursing facilities, ambulatory surgery centers, and medical practices).
As the federal response to the COVID-19 outbreak continues, HHS may issue additional guidance providing flexibility with respect to other HIPAA requirements (see, for example, the notice issued on March 17, 2020, with respect to the provision of good-faith telehealth services).
Three Key Takeaways
- HHS's temporary waiver of penalties and sanctions under HIPAA against hospitals that do not provide patients with their privacy rights enumerated in the Bulletin should help facilitate hospitals' ability to proactively communicate with patients' family, friends, and community to warn of and identify potential COVID-19 exposures.
- This waiver has significant limitations that may impact hospitals' implementation and use of the waiver, including that the waiver lasts only for up to 72 hours from the time a hospital implements its disaster protocol.
- Hospitals remain subject to other applicable privacy and security requirements under HIPAA that are not covered by the waiver.