HHS Issues a HIPAA Privacy Rule Waiver due to COVID-19

March 23, 2020

Effective March 15, 2020, HHS Secretary Alex M. Azar waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers followed the Secretary’s declaration of a public health emergency on January 31, 2020 and President Donald J. Trump’s declaration of a national emergency due to COVID-19 on March 13, 2020.

The HIPAA Privacy Rule allows patient information to be shared to assist in national emergencies. The HIPAA Privacy Rule is not suspended during a public health crisis, but the Secretary of HHS can waive certain provisions of the Privacy Rule under the Project Bio Shield Act of 2004 (PL 108-276) and Section 1135(b)(7) of the Social Security Act.

Under this authority Secretary of the US Department of Health and Human Services (HHS) Alex M. Azar’s waived sanctions and penalties effective March 15, 2020 against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule: 

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. 45 CFR §164.510(b)
  • the requirement to honor a request to opt out of the facility directory. 45 CFR §164.510(a)
  • the requirement to distribute a notice of privacy practices.45 CFR §164.520
  • the patient’s right to request privacy restrictions. 45 CFR §164.522(a)
  •  the patient’s right to request confidential communications. 45 CFR §164.522(b)

These waivers only apply to (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

This waiver limits HIPAA application in important ways but even in its absence HIPAA allows patient information to be shared for (A) Treatment, (B) Public Health Activities, (C) disclosure to family, friends, and others involved in patient care, (D) to prevent or lessen a serious and imminent threat, and (E) basic patient disclosures to the media in the absence of patient initiated restrictions.

To clarify the confines that covered entities are subject to under HIPAA, we will discuss each of these allowances in detail.

A. Under the HIPAA Privacy Rule, covered entities may disclose protected health information about a patient as necessary to treat the patient or another patient. This allowance includes the coordination or management of health care and related services by one or more health providers and others, consultation between providers, and the referral of patients for treatment. 45 CFR §§ 164.502(a)(1)(ii), 164.506(c).

B. This rule also recognizes that public health authorities and others responsible for ensuring public health and safety require PHI to carry out their public health mission. Therefore, the Privacy Rule already allows covered entities to disclose PHI without individual authorization in three distinct situations. (i) disclosure to public health authorities, such as the CDC or state health departments, when they are authorized by law to collect such information for the purpose of controlling disease, injury or disability. These “public health authorities” are agencies of a State or Territory, Indian Tribes responsible for public health as part of its official mandate, and those acting under a grant of authority from a public health agency. 45 CFR §§ 164.501 and 164.512(b)(1)(i). This means that hospitals dealing with COVID-19 can report all prior and prospective cases of virus exposure. (ii) to a foreign government agency when directed to do so by a public health authority.45 CFR §164.512(b)(1)(i). (iii) to persons at risk of contracting or spreading a disease. 45 CFR §164.512(b)(1)(iv).

C. A covered entity may also share protected PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved with the patient’s care. They can also share information about a patient to identify, locate, and notify those responsible for the patient’s care of the patient’s location, general condition, or death. This notification can include family members, the police, the press, or the public. 45 CFR §164.510(b). The covered entity should seek verbal permission from individuals or  otherwise be able to reasonably infer that the patient does not object, and should only share this information in cases of incapacitation where doing so is in the patient’s best interest. Permission is unnecessary when sharing PHI with disaster relief organizations such as the Red Cross, or if obtaining a patient’s permission would interfere with the organization’s ability to respond to the emergency.

D. Health Providers may also share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the heath and safety of a person or the public. See 45 CFR §164.512(j). HIPAA explicitly defers this decision to the professional judgement of heath professionals in making determinations about the nature and severity of the threat to health and safety. 45 CFR §164.512(j).

E. Finally covered entities are generally limited from reporting to the press or the public at large about an identifiable patient, including any disclosure to the public or media about specific information about the treatment of the patient. Disclosure of things like specific tests, test results, or details of a patient’s illness must be done with the patient’s written authorization. 45 CFR §164.508 However when a patient has not objected to the release of PHI a covered entity can release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide general information about the patient’s condition. Covered entities can also disclose information when the patient is incapacitated so long as the disclosure is believed to be in the best interests of the patient and is consistent with any prior expressed preference of the patient. 45 CFR §164.510(a).

Even with the current COVID-19 pandemic, a covered entity should make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose. 45 CFR §§ 164.502(b), 164.514(d). This requires covered entities to continue to implement reasonable safeguards to protect patient information against impermissible disclosures. All administrative, physical, and technical safeguards of the HIPAA security rule still apply to electronic protected health information.

Connor Colson