Healthcare providers must continue to be cognizant of patient privacy and HIPAA requirements during the COVID-19 pandemic.
While the HIPAA Privacy Rule remains in effect during a public health emergency, the U.S. Department of Health and Human Service (“HHS”) may temporarily waive certain regulatory requirements. The government may also issue guidance to help healthcare providers interpret existing requirements in light of COVID-19.
The following is a summary of recent HIPAA developments and guidance related to COVID-19:
Limited Waiver of HIPAA Sanctions and Penalties for Hospitals
In a decision that became effective on March 15, the Secretary of HHS waived sanctions and penalties against hospitals that do not comply with five specific provisions of the HIPAA Privacy Rule. It is important to note the waiver is very limited in scope and only applies to hospitals.
HHS issued a COVID-19 & HIPAA Bulletin (HIPAA Bulletin) outlining the limited HIPAA waiver. As noted in the Bulletin, the waiver of sanctions and penalties only applies to the following HIPAA provisions:
- Requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- Requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- Requirement to distribute a Notice of Privacy Practices. See 45 CFR 164.520.
- Patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- Patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver is limited to hospitals that have instituted a disaster protocol for COVID-19 and only lasts up to 72 hours from the time the hospital institutes its disaster protocol.
For questions about this waiver, please contact a Woods Rogers Health Law attorney.
HHS Guidance on HIPAA Privacy and Disclosures in Emergency Situations
The HIPAA Bulletin also includes guidance on several existing HIPAA provisions that may apply to emergencies situations, such as the COVID-19 pandemic. The full text of the HIPAA Bulletin guidance can be found here. The following is a brief summary of the key points:
- Disclosures to a public health authority. Protected health information may be disclosed to a public health authority such as the CDC or a state or local health department without the patient’s authorization. Disclosures may be made to report disease and vital events such as deaths and to conduct public health surveillance or interventions. As an example of how this may apply to COVID-19, HHS indicated that “a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.” See 45 CFR § 164.512(b).
- Disclosures to persons at risk of contracting or spreading COVID-19. Protected health information may be disclosed to a person who may have been exposed to COVID-19 or may be at risk of contracting or spreading COVD-19 if the healthcare provider is authorized by law to make such notifications to prevent or control the spread of the disease or to carry out a public health intervention or investigation.
- Disclosures to prevent or lessen a serious and imminent threat. Healthcare providers may disclose protected health information based on the good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. These disclosures must be consistent with applicable law and ethical conduct. According to the HIPAA Bulletin, providers may make disclosures under this provision to “anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers and law enforcement without the patient’s permission.”
A Word of Caution About Disclosures to the Media or Public At Large
Although these are unprecedented times, healthcare providers may not make disclosures to the media or the public at large about an identifiable patient without the patient signing a HIPAA-compliant authorization. While there may be very limited exceptions to this requirement, we recommend being very cautious in making public disclosures and consulting legal counsel as necessary.
Please contact the Woods Rogers Health Law Group if you need help navigating the HIPAA rules and requirements that may apply to COVID-19.