When It’s OK to Share: OCR’s Novel Coronavirus Disease (COVID-19) Limited Waiver

Novel Coronavirus, aka COVID-19, is on track to stretch our healthcare system to the breaking point, and our healthcare providers along with it. In effect as of March 15, 2020, the OCR’s published a Limited Waiver of HIPAA Sanctions and Penalties that during this National Emergency could give care providers one less source of anxiety as they work to save lives.

What the Limited Waiver means to hospitals, emergency rooms & you

Although HIPAA remains in force, the very nature of responding to care demands places a huge strain on healthcare providers. Extraordinary circumstances call for extraordinary measures.

To help reduce the concern of potential financial penalties, the HHS Secretary has (as per the issued publication) “exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule”:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
    See 45 CFR 164.510(b)
  • the requirement to honor a request to opt-out of the facility directory
    See 45 CFR 164.510(a)
  • the requirement to distribute a notice of privacy practices
    See 45 CFR 164.520
  • the patient’s right to request privacy restrictions
    See 45 CFR 164.522(a)
  • the patient’s right to request confidential communications
    See 45 CFR 164.522(b)

Don’t forget the defining word is “limited.” The limited waiver only applies until the President of the United States or the HHS Secretary terminates the national emergency status. From that point on, the HIPAA Privacy Rule and associated potential penalties are reinstated. Also remember that national emergency or no, disclosures of personal information are allowed to disaster relief organizations, like the American Red Cross. That leniency lets them notify loved ones of your location.   Also keep in mind that the waiver applies only to hospitals, including their emergency rooms.  Other covered entities – like doctors and health plans, still must comply with all Privacy Rule requirements.

Other resources:

Contact Apgar & Associates for consulting expertise in privacy, information security, HIPAA, HITECH and regulatory compliance. We also guide you through the what and the how of preparation for HITRUST, SOC2 and ISO certifications.