HHS Waives Certain HIPAA Privacy Sanctions
Certain HIPAA sanctions and penalties are being waived for hospitals during the nationwide emergency concerning COVID-19.
Which Privacy Rule Provisions Are Waived?
Effective March 15, 2020, covered hospitals will not be held to comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirements to honor a request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
What Are Covered Hospitals?
The waiver to certain HIPAA Privacy Rule requirements only applies to hospitals in the emergency area identified in the public health emergency declaration and only for up to 72 hours after instituting a disaster protocol.
This waiver terminates when the president or secretary of the Department of Health and Human Services declares the nationwide emergency has ended — something we are all anxiously awaiting. At such time, all HIPAA provisions will be enforced, and hospitals will be expected to comply — even if 72 hours have not elapsed since implementation of a hospital’s disaster protocol.
Read the HHS March 20 bulletin for more information about HIPAA privacy and disclosures in emergency situations.