When It’s OK to Share: OCR’s Novel Coronavirus Disease (COVID-19) Limited Waiver
Novel Coronavirus, aka COVID-19, is on track to stretch our healthcare system to the breaking point, and our healthcare providers along with it. In effect as of March 15, 2020, the OCR’s published a Limited Waiver of HIPAA Sanctions and Penalties that during this National Emergency could give care providers one less source of anxiety as they work to save lives.
What the Limited Waiver means to hospitals, emergency rooms & you
Although HIPAA remains in force, the very nature of responding to care demands places a huge strain on healthcare providers. Extraordinary circumstances call for extraordinary measures.
To help reduce the concern of potential financial penalties, the HHS Secretary has (as per the issued publication) “exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule”:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
See 45 CFR 164.510(b)
- the requirement to honor a request to opt-out of the facility directory
See 45 CFR 164.510(a)
- the requirement to distribute a notice of privacy practices
See 45 CFR 164.520
- the patient’s right to request privacy restrictions
See 45 CFR 164.522(a)
- the patient’s right to request confidential communications
See 45 CFR 164.522(b)
Don’t forget the defining word is “limited.” The limited waiver only applies until the President of the United States or the HHS Secretary terminates the national emergency status. From that point on, the HIPAA Privacy Rule and associated potential penalties are reinstated. Also remember that national emergency or no, disclosures of personal information are allowed to disaster relief organizations, like the American Red Cross. That leniency lets them notify loved ones of your location. Also keep in mind that the waiver applies only to hospitals, including their emergency rooms. Other covered entities – like doctors and health plans, still must comply with all Privacy Rule requirements.
- On COVID-19, please visit: https://www.coronavirus.gov or https://www.cdc.gov/coronavirus/2019-ncov/index.html
- Regarding HIPAA and COVID-19, view the HHS Office for Civil Rights’ (OCR) March 16, 2020, Bulletin on the HIPAA Waiver here: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
- View the Waiver or Modification of Requirements under Section 1135 of the Social Security Act as the result of the consequences of the 2019 Novel Coronavirus at: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx
- How the HIPAA Privacy Rule applies in an emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool.
Contact Apgar & Associates for consulting expertise in privacy, information security, HIPAA, HITECH and regulatory compliance. We also guide you through the what and the how of preparation for HITRUST, SOC2 and ISO certifications.