Natali_Mis/istock via Getty Imag

HHS Issues Limited Waiver of HIPAA Sanctions Due to Coronavirus

HHS Secretary Alex Azar lifted certain HIPAA sanctions in response to the Coronavirus pandemic, including obtaining patient consent before sharing information with family about the individual's care.

Following President Donald Trump’s declaration of a nationwide emergency over the Coronavirus, or COVID-19, the Department of Health and Human Service Secretary Alex Azar issued a limited waiver of certain HIPAA sanctions to improve data sharing and patient care during the pandemic.

HHS first declared the Coronavirus a public health emergency on January 31. COVID-19 is increasing data sharing challenges within the healthcare sector, including what information can be shared with family members, public health officials, and emergency personnel.

The Project BioShield Act of 2004, allows HHS to waive some HIPAA provisions to remove some of those barriers and clarify HIPAA rules, which Azar has exercised to protect hospitals that do not comply with some provisions.

“The HIPAA Privacy Rule allows patient information to be shared to assist in nationwide public health emergencies, and to assist patients in receiving the care they need,” the notice reads.

Under the waiver, hospitals will not be penalized for failing to comply with HIPAA requirements found in 45 CFR:

• to obtain a patient's agreement to speak with family members or friends involved in the patient’s care

• the requirement to honor a request to opt out of the facility directory

• the requirement to distribute a notice of privacy practices

• the patient's right to request privacy restrictions

• the patient's right to request confidential communications

The waiver first went into effect on March 15, but Azar stressed that it only applies to providers located in the emergency area identified in the public health emergency declaration, as well as hospitals that implemented disaster protocols and up to 72 hours from the time a hospital makes that declaration.

“When the Presidential or secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol,” the alert reads.

In addition to the waiver, the notice also reminds healthcare providers that patient information is allowed to be shared for a wide range of reasons, including for treatment purposes that bolster care coordination or care management between providers.

HIPAA also allows data sharing of health information for public health activities to improve public health and safety. This includes sharing patient information with public health authorities like the Centers for Disease Control and Prevention or a local health department in order to prevent or control diseases.

“This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions,” according to the notice.

“For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19,” it continued.

Disclosures are also allowed for preventing or lessening serious and imminent threats. The notice also outlines acceptable reasons for when to share patient information with family members, friends, and others involved with the individual’s care.

But HHS stressed that without a patient's consent, disclosures to the media and others not involved with the patient’s care are not allowed. Healthcare providers were also reminded that they are still responsible for limiting impermissible uses and disclosures, while protecting patient data.

“For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose,” the notice reads. “[But] minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.”

“Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances,” it concluded. “In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”

Next Steps

Dig Deeper on HIPAA compliance and regulation