Health AlertEffective March 15, 2020, the Department of Health and Human Services (HHS) issued a Bulletin announcing that HHS Secretary Alex Azar has exercised his authority to waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

When the secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

Covered hospitals that meet the above criteria will have sanctions and penalties waived for non-compliance with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

When the presidential or secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

The Bulletin also provides additional guidance about HIPAA privacy and disclosures for all covered entities in emergency situations in the following situations:

  • Treatment
  • Public health activity (to a public health authority, at the direction of a public health authority to a foreign government agency, and to persons at risk)
  • Disclosures to family, friends and others involved in an individual’s care and for notification
  • Disclosures to prevent or lessen a serious and imminent threat
  • Disclosures to the media or others not involved in the care of the patient/notification
  • Minimum necessary

In the Bulletin, HHS discusses the applicability of the HIPAA Privacy Rule to covered entities and business associates. In an emergency situation, covered entities are not relieved of their ongoing obligations to implement reasonable safeguards to protect patient information against impermissible uses and disclosures, and both covered entities and business associates are expected to apply administrative, physical and technical safeguards of the HIPAA Security Rule to electronic protected health information.

The Bulletin includes links to additional helpful resources for COVID-19, emergency preparedness and other federal civil rights laws that apply in an emergency.

For more information, please contact one of the attorneys in our Health Care industry group.

Link to COVID-19 Resources page