HHS Announces Limited Waiver of HIPAA Sanctions During COVID-19 Public Health Emergency
The U.S. Department of Health and Human Services (HHS) will not sanction or issue penalties against hospitals failing to comply with certain provisions of the HIPAA Privacy Rule during the COVID-19 public health emergency. The waiver is effective March 15, 2020, and only applies:
- In the emergency area identified in the public health emergency declaration;
- To hospitals that have instituted a disaster protocol; and
- For up to 72 hours from the time the hospital implements its disaster protocol.
HHS identified the following provisions of the HIPAA Privacy Rule as subject to the waiver:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt-out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b).
Additionally, HHS announced that effective March 17, 2020, it will waive potential HIPAA penalties for good faith use of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. Easily accessible applications—such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype—may be used by health care providers with HHS recognizing that some of these technologies may not fully comply with the requirements of the HIPAA Rules. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
Additional details on the bulletin and notice by HHS are available here.
Minnesota hospitals may have additional privacy considerations, as they are subject to the Minnesota Health Records Act. The Minnesota Departments of Health and Human Services have not yet commented on the federal guidance. Therefore, we recommend following such guidance pending instruction otherwise from either Department. We will continue to monitor updates both nationwide and in Minnesota.