Following declarations of a public health emergency by President Trump and the Secretary of the Department of Health and Human Services (HHS), HHS continues to loosen legal restrictions in an effort to mitigate harm from the coronavirus (COVID-19) outbreak. This past week, HHS issued a declaration limiting liability for coronavirus countermeasures. Most recently, on March 15, the Secretary issued a waiver of sanctions under the HIPAA Privacy Rule. By removing certain requirements for disclosure, this waiver facilitates the flow of health information to promote awareness of exposure to the virus and assist patients in receiving needed care. This waiver builds off of already robust disclosures permitted by the HIPAA Privacy Rule, which allows the dissemination of health information to facilitate treatment and mitigate public health threats. The waiver applies only within the emergency area, to hospitals that have instituted a disaster protocol, for up to 72 hours from the hospital’s implementation of the protocol or until President Trump or the Secretary revokes the emergency declaration.1
While the HIPAA Privacy Rule already allows some patient information to be shared under exigent circumstances, the March 15 waiver lowers existing requirements for information disclosure and expands the circumstances where disclosure is permitted. Penalties are removed for noncompliance with the following provisions of the HIPAA Privacy Rule:
the requirement to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
the requirement to distribute a notice of privacy practices (45 CFR 164.520)
the patient's right to request privacy restrictions (45 CFR 164.522(a))
the patient's right to request confidential communications (45 CFR 164.522(b)).
The waiver does not otherwise modify the permitted actions or requirements under the HIPAA Privacy Rule. The HIPAA Privacy Rule covers disclosures by employees or members of health plans, health care clearinghouses and health care providers that conduct more than one health care transaction electronically, as well as entities that create, receive, maintain or transmit protected health information for covered entities. Even in the absence of a health emergency, disclosures of health information for treatment and other public health reasons are still allowed;2 although, disclosure must be limited to only the “minimum necessary” information to effectuate those purposes. Disclosure of patient information is permitted for the following reasons:
Treatment: Without patient authorization, covered entities may disclose health information necessary to treat the patient or another patient. Permitted disclosures include coordination between health care providers or referrals of patients for treatment.3
Public Health Activities: Where public health and safety demand, health information may be disclosed to public health authorities, such as government agencies; at the direction of the public health authority, to collaborating foreign government agencies; and to people at risk of contracting or spreading the disease, if authorized by other law.4
Disclosures to Family, Friends and Others Involved in Care: Entities may disclose patient information that will assist those responsible for the individual’s care.5 Verbal permission is required unless the individual is incapacitated.
Disclosures to Mitigate Threats: Providers may disclose health information without patient permission in order to curtail serious and imminent health threats.6
Disclosures to Media and Other Uninvolved Parties: Generally, public disclosure of identifiable health information requires written consent from the patient. Consent may not be required if the patient is incapacitated or where the patient has not objected or restricted release of the information and there is a direct request to disclose that particular patient’s information.7
Covered entities must maintain safeguards to protect health information in adherence with the HIPAA Security Rule. Administrative, physical and technological measures must be taken to ensure the validity and confidentiality of the data.
1 “COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency,” Dep’t Health & Human Services, https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf (March 15, 2020).
2 “Is the HIPAA Privacy Rule suspended during a national or public health emergency?” Dep’t Health & Human Services, https://www.hhs.gov/hipaa/for-professionals/faq/1068/is-hipaa-suspended-during-a-national-or-public-health-emergency/index.html (July 26, 2013).
3 45 CFR §§ 164.501; 164.502(a)(1)(ii), 164.506(c).
4 See 45 CFR 164.512(b)(1)(iv).
5 45 CFR 164.510(b)
6 45 CFR 164.512(j).
7 45 CFR 164.510(a).
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.