Mar 23, 2020

HIPAA Privacy Rules Waived and Relaxed

The medical sector, the hardest hit by the COVID-19 pandemic, received some relief from the regulatory burdens associated with its operations. Multiple government agencies have announced they will waive certain HIPAA noncompliance penalties to permit a faster exchange of patients’ protected health information during the ongoing pandemic. The U.S. Secretary of Health and Human Services (HHS) declared a limited waiver of the HIPAA Privacy Rules. A copy of HHS’ bulleting can be found here [https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf]. Under the waiver, hospitals will not be penalized for failing to comply with the following HIPAA requirements:

  • to obtain a patient's agreement to speak with family or friends involved in the patient’s care;
  • the requirement to honor a request to opt out of the facility directory;
  • the requirement to distribute a notice of privacy practices;
  • the patient's right to request privacy restrictions; and
  • the patient's right to request confidential communications

The HIPAA waiver only applies under limited circumstances, which: in areas covered by the public health emergency, only for hospitals that have implemented their disaster protocol, and only for a period of 72 hours from the time that the disaster protocol is implemented. HHS’ bulletin states that “[w]hen the Presidential or secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.”
 
Apart from treatment-related disclosures, healthcare professionals must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; what is known as the “minimum necessary” standard. The bulletin states, “[c]overed entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.” This guidance essentially establishes a safe harbor for covered entities in that when information is requested by a public health authority or official, covered entities can meet the minimum necessary standard solely by relying on the representations of that public health authority or official that the requested information is the minimum necessary amount.
 
Disclosures are also allowed in furtherance of preventing or lessening serious and imminent threats. HHS’ bulletin outlines acceptable reasons for when to share patient information with family members, friends, and others involved with the patient’s care. However, the HHS has stressed that disclosures to the media and others not involved with caring for the patient are not allowed.

------------------------------------------------------

COVID-19 Response Resource Team: