Effective March 15, 2020, certain hospitals will not be subject to HIPAA sanctions and penalties for failing to comply with specific HIPAA Privacy Rule requirements, according to a “COVID-19 & HIPAA Bulletin” issued by the Secretary of the U.S. Department of Health and Human Services, Alex M. Azar.   The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020.

Note that this HIPAA waiver is limited.  It only applies to (1) hospitals located in an emergency area identified in a public health emergency declaration; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital institutes its disaster protocol .   When President Trump’s or Secretary Azar’s emergency declaration ends, the HIPAA waiver will end.

In addition, the HIPAA waiver only applies to the following specific HIPAA Privacy Rule requirements:

• obtaining the patient’s consent to speak with family and friends involved in patient care as per 45 C.F.R. 164.510(b)
• honoring the patient’s request to opt-out of being including in the facility directory as per 45 C.F.R. 164.510(a)
• distributing the Notice of Privacy Practices to patients as per 45 C.F.R. 164.520
• giving individuals the right to request restrictions on the use or disclosure of their protected health information as per 45 C.F.R. 164.522(a)
• honoring the individual’s right to restrict disclosure of protected health information to a health plan as per 45 C.F.R. 164522(b)

The Bulletin reiterates many of the points addressed in HHS’s February 3, 2020 Bulletin on HIPAA and COVID-19, discussed here in a prior post.   The bottom line?  HIPAA remains in place during emergencies, except for the limited covered entities and with respect to limited provisions of the HIPAA Privacy Rule as described above.

[View source.]