UPDATE - HHS Announces Limited HIPAA Waiver for Hospitals

Kevin Wood
Winstead PC
Contact
LinkedIn
Facebook
X
Send
Embed

Winstead PC

As noted in our recent alert listed below, the HIPAA Privacy Rule is not suspended during a public health or other emergency. However, the Secretary of Health & Human Services may waive certain portions of the Privacy Rule during an emergency. Effective as of March 15, 2020 (and retroactive to March 1, 2020), HHS Secretary Alex Azar issued a limited waiver of HIPAA sanctions and penalties. Even with this limited waiver in place, HHS continues to stress the importance of appropriately sharing healthcare information and maintaining healthcare privacy protections during the COVID-19 pandemic situation.

Under the waiver, a covered hospital will not be penalized for failure to comply with the following Privacy Rule requirements:

  • The requirement to obtain a patient’s agreement, when possible, to speak with family members or friends involved in the patient’s care;
  • The requirement to honor a request to opt out of inclusion in the hospital’s patient directory;
  • The requirement to provide a copy of the hospital’s notice of privacy practices;
  • The requirement to abide by a patient’s right to request privacy restrictions; or
  • The requirement to abide by a patient’s right to request confidential communications.

This limited waiver only applies to hospitals: (1) in the United States, as the emergency area identified in the Secretary’s declaration; (2) that have instituted disaster protocols; and (3) only for the 72-hour period after the hospital implemented its disaster protocol. In other words, the waiver protects hospitals from penalties in the short window of time when inadvertent disclosures could occur following implementation of disaster protocols. Once the hospital has operated under its disaster protocols for 72 hours, HHS presumes that compliance with the HIPAA Privacy Rule can be reinstituted and maintained.

HIPAA and its Privacy and Security Rules only apply to covered entities and business associates. Persons or organizations that are not covered entities or business associates may be subject to other data privacy requirements. When dealing with healthcare information, it is important for all persons or organizations to understand their obligations under applicable law.

The full language of the Secretary’s waiver, including this HIPAA component, may be found at: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx.

The HHS bulletin discussing the waiver (which includes guidance about how to use or share healthcare information as well as resources regarding COVID-19) may be found at: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Winstead PC | Attorney Advertising

Written by:

Winstead PC
Winstead PC
Contact
more
less

Winstead PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide