HIPAA Waiver: How COVID-19 Impacts HIPAA Compliance
May 6, 2020
On March 13, President Donald Trump declared a national emergency in response to the rapid spread of COVID-19. Two days following this statement, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a limited waiver of certain HIPAA sanctions and penalties to ease access of data for providers, public health authorities, and others.²
This HIPAA waiver has important ramifications for care coordination, public health, and the attempted prevention or control of the virus. Read on to learn more about how it may affect your organization’s coronavirus response.
What does the HIPAA waiver cover?
The HIPAA waiver, which went into effect March 15, makes covered hospitals exempt from complying with certain provisions in the HIPAA Privacy Rule. These provisions include:
- Requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt-out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications²
Who does the HIPAA waiver apply to?
The waiving of these provisions means that certain hospitals cannot be penalized by HHS for failing to observe these rules. The original waiver only applied:
- In the emergency area identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol
Once this declaration reaches its point of termination, hospitals must again comply with all the requirements of the Privacy Rule for any patient still under its care.²
While the original waiver only exempted Covered Entities from penalty, another notice, issued April 2, also allowed for uses and disclosures of PHI by Business Associates. This is intended to give Federal public health authorities and health oversight agencies access to data.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said OCR Director Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”³
Why is this HIPAA waiver necessary?
The Project BioShield Act of 2004 gives HHS the authority to waive some HIPAA provisions during a nationwide public health emergency so that transmission of patient information and patient care can be more freely facilitated.
Even without a waiver, the HIPAA Privacy Rule allows healthcare providers to share patient information for the purposes of treatment; public health activities; and disclosures to those involved in an individual’s care, to prevent an imminent threat, or to the media.
“Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient,” the waiver said. “Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.”
Public health authorities like the CDC (Centers for Disease Control and Prevention) or a state or local health department also require access to PHI (protected health information) in order to assess the public health crisis and respond accordingly. In addition disclosures to family, friends, and others involved in a patient’s care are allowed, although HHS still recommends getting verbal permission from the patient when possible.
The department said that without a patient’s consent, disclosures to the media and others not involved in the individual’s care may not be done. In all cases, the minimum necessary standard should still be observed.
“For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose,” the waiver said. “(Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.)”²
What impact will this waiver have?
In a recent interview with Information Security Media Group, Kirk Nahra, an attorney for the law firm WilmerHale, said federal regulators are hoping to create more flexibility in how information is shared and utilized within the country’s healthcare system. However, he said, some of the waivers HHS has issued connected with the HIPAA Privacy Rule create unnecessary exemptions.
The waiver Nahra called “potentially the most concerning is the provision dealing with confidential communications,” which waives the requirement to comply with patients’ requests to choose how they receive health records.
In another waiver, HHS expanded telehealth services by waiving restrictions on video communication tools. This means that FaceTime, Google Hangouts, Skype, and other applications can now be used by providers for remote treatment.
“I would put the telehealth waiver in the context of some ongoing issues that HHS has had where basically, there are technologies that are convenient to patients, where the healthcare provider community hasn’t been sure that they’re allowed to use those technologies under the HIPAA Security Rule,” Nahra said.
The intention of the telehealth waiver is to increase the possible number of healthcare visits while cutting down contact. Nahra said that now, when providers do telehealth visits, they “don’t have to go through the full HIPAA risk assessment and that they don’t have to be worried about enforcement of a security problem if you do telehealth visits in those settings.”
In reference to the COVID-19 crisis, Nahra said, “We are finding for the most part that the HIPAA rules actually work pretty well in these settings. There are the ability to make disclosures for treatment purposes, there are the ability to make disclosures for public health purposes, etc. So, while they obviously weren’t thinking about this specific situation in writing the rules, they were thinking about situations like this, or enough like this that they anticipated a lot of the needs here.”⁴
- CNN: Trump Declares National Emergency
- HHS: COVID-19 HIPAA Bulletin
- HHS: OCR Announces Notification of Enforcement Discretion
- Healthcare Info Security: Impact of HHS’ HIPAA Moves for COVID-19 Crisis