Will HIPAA obligations be relaxed or waived in the wake of the coronavirus outbreak in the United States? They could be. This blog post contains information that is helpful to understand in preparation for such possibility.
The Secretary of the Department of Health and Human Services (the “Secretary”) has the authority to declare a Public Health Emergency in situations such as a pandemic. A Public Health Emergency declaration allows the Secretary to take certain actions in response to the emergency, including waiving certain HIPAA Privacy Rule requirements. Although, as of this writing, the Secretary has not yet declared a Public Health Emergency, covered entities and their business associates should be aware of their HIPAA Privacy obligations and potential relief from these obligations if such a declaration is made.
When would covered entities and their business associates know of a HIPAA Privacy Rule waiver?
First, the President must declare an emergency or disaster pursuant to the National Emergencies Act or the Robert T. Stafford Disaster Relief and Emergency Assistance Act. The President made this declaration on March 13, 2020. Next, the Secretary must declare a Public Health Emergency (“PHE”) pursuant to the Public Health Service Act. The Secretary has not yet declared a PHE, but Dorsey will continue to monitor any related announcements and provide updates as they occur. Finally, at least two days before waiving any HIPAA requirements, the Secretary must provide a certification and advance written notice to Congress about the Secretary’s intent to waive HIPAA requirements. 42 U.S.C. § 1220b-5. The DHS website would likely post this notice or the information contained within the notice, or otherwise make it publicly available.
What will be the scope of a waiver?
The Secretary’s notice to Congress must include a description of:
- the specific provisions that will be waived or modified;
- the health care providers to whom the waiver or modification will apply;
- the geographic area in which the waiver or modification will apply; and
- the period of time for which the waiver or modification will be in effect. 42 U.S.C. § 1220b-5.
If a waiver is issued, Dorsey will provide more guidance about its scope and application.
What HIPAA Privacy provisions could be waived?
The Secretary may waive sanctions and penalties against covered entities that do not comply with certain provisions of the HIPAA Privacy Rule, including:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
- The requirement to honor a request to opt out of the facility directory;
- The requirement to distribute a notice of privacy practices;
- The patient’s right to request privacy restrictions;
- The patient’s right to request confidential communications
The Secretary also has authority to modify (but not waive) deadlines and timetables for the performance of required activities, such as reporting requirements. 42 U.S.C. § 1220b-5(b)(5).
Are there any existing HIPAA Privacy Rule exceptions that are relevant during a pandemic?
Yes. The HIPAA Privacy Rule currently includes exceptions for when protected health information may be shared even if no PHE has been declared. Covered entities may disclose protected health information without individual authorization under certain circumstances:
- To a public health authority for the purpose of preventing or controlling disease;
- At the direction of a public health authority, to a foreign government agency; and
- To persons at risk of spreading a disease if other law, such as state law, authorizes the covered entity to do so. 45 C.F.R. §§ 164.501, 164.512(b)(1).
Protected health information may also be shared under certain circumstances:
- To family friends, and others involved in an individual’s care and for notification;
- To prevent a serious and imminent threat to the health and safety of a person or to the public; and
- In limited circumstances, to others not involved in the care of the patient. 45 C.F.R. §§ 164.510, 164.512, 164.508.
Please see the February 2020 HIPAA Privacy and Novel Coronavirus bulletin from the DHHS Office for Civil Rights for more details on these current HIPAA provisions and when they apply.
What do covered entities and their business associates need to do in preparation for a waiver?
Covered entities and their business associates do not have advanced requirements in order to be eligible for a waiver. If a PHE is declared and the Secretary issues a waiver, that announcement will provide details about modifications to or waivers from specific HIPAA rules, as well as information about to whom the waivers or modifications apply. Once those details are released, covered entities will need to evaluate the applicability of the waivers to their operations, and if they are applicable, how they will be implemented.
Additionally, the DHHS Emergency Preparedness Decision-Tool may be helpful in determining what protected health information can be released for planning or response activities in emergency situations. The DHHS February 2020 bulletin also offers helpful guidance about the existing HIPAA Privacy Rule requirements and exceptions which may already be useful to help address uses and disclosures in the context of this public health outbreak.
Until a PHE is declared and a subsequent waiver is issued, covered entities and business associates should continue to comply with all HIPAA Privacy Rule obligations. We will continue to closely monitor the federal response to the coronavirus pandemic.