HHS COVID-19 HIPAA Bulletin-Limited 72 Hour Waiver; Permissible Disclosures Reminder
March 19, 2020
Even in the midst of a nationwide public health emergency, the HIPAA Privacy Rule (“Privacy Rule”) provisions still apply. However, the Secretary of the U.S. Department of Health and Human Services (“HHS”) may waive certain provisions of the Privacy Rule pursuant to the Project Bioshield Act of 2004 and Section 1135(b)(7) of the Social Security Act.
President Trumps’ declaration of a nationwide emergency due to COVID-19, combined with Secretary of the HHS Alex M. Azar’s prior declaration of a public health emergency on January 31, 2020, permits Secretary Azar to exercise his authority to waive sanctions and penalties against covered hospitals that do not comply with certain provision of HIPAA Privacy Rule for up to 72 hours from the implementation of the waiver:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 C.F.R. 164.510(b);
- The requirement to honor a request to opt-out of the facility directory 45 C.F.R. § 164.510(a);
- The requirement to distribute a Notice of Privacy Practices 45 C.F.R §164.520;
- The patient’s right to request privacy restrictions 45 C.F.R. 164.522(a);
- The patient’s right to request confidential communications 45 C.F.R. § 164.522(b).
Secretary Azar’s waiver went into effect March 15, 2020, is effective retroactively to March 1, 2020 and it only applies:
- In the emergency are identified in the public health emergency declaration;
- To hospitals that have instituted a disaster protocol; and
- For a period of time up to 72 hours from the time the hospital implements its disaster protocol.
One the declaration terminates, all hospitals must then comply with the Privacy Rule for any patient still receiving care, regardless of whether the 72 hours has run.
In its March 16, 2020 Bulletin , HHS provides a refresher on permitted Privacy Rule disclosures during emergency situations, even without an 1135 waiver. Patient information may be shared under the Privacy Rule in an emergency situation for:
- Treatment See 45 C.F.R. §164.502(a)(1)(ii), §164.506(c) and §164.501;
- Public health activities:
- To a public health authority See 45 C.F.R. §164.512(b)(1)(i);
- At the direction of a public health authority, to a foreign government agency; See 45 C.F.R. § 164.512 (b)(1)(i);
- To persons at risk See 45 C.F.R. §164.512 (b)(1)(iv).
- Disclosures to family and friends, and others involved in an individual’s care and for notification See 45 C.F.R. §164.510(b);
- Disclosures to Prevent or Lessen a Serious Imminent Threat See 45 C.F.R. §164.512(j);
- Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification See 45 C.F.R. §164.508 and §164.510(a).
HHS reiterates that the minimum necessary rule and the safeguarding of patient information by implementing reasonable safeguards must be followed by Covered Entities during this time. The Privacy Rule applies to Covered Entities and Business Associates and their respective employees, contractors, volunteers, and other members of the workforce. Business Associates may make permitted disclosures under the Privacy Rule, such as to a public health authority, on behalf of a Covered Entity if permitted by the applicable Business Associate Agreement between the parties.