As the number of Coronavirus (COVID-19) diagnoses increases across the U.S., Secretary of Health and Human Services (HHS) Alex Azar recently declared a temporary waiver for certain HIPAA Privacy Rule sanctions for hospitals.
Per the Privacy Rule of the Project BioShield Act of 2004, Azar on March 15, 2020, announced his electing to waive the HIPAA provisions found in 45 CFR, which means that hospitals won’t be penalized if they fail to:
The HHS noted that this waiver only applies to either health care providers that are in the emergency area identified in the public health emergency declaration, or hospitals that have put together a disaster protocol. The waiver also applies for only up to 72 hours from the time a hospital makes that emergency declaration.
Azar’s declaration comes nearly two months since the HHS first declared the Coronavirus a public health emergency. Since then, the health care practice sector has found it difficult to share critical information on COVID-19 carriers — keeping emergency personnel, public health officials and family members of those carriers grounded.
In his order, Azar notes that the HIPAA Privacy Rule has privacy and disclosure provisions that apply even without a waiver in place.
For example, “covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.”
Under the HIPAA waiver, a covered health care entity can share a patient’s protected health information with the patient’s “family members, friends, or other persons identified by the patient as involved in the patient’s care.”
The health care facility also can use that information “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death,” by disclosing that information to “the police, the press, or the public at large.”
HIPAA also permits health information data to be shared for public health organizations (such as the Centers for Disease Control and Prevention or a local health department) and initiatives that aim to improve public health and safety in order to prevent or control diseases.
Azar’s declaration also emphasizes that health care providers are still responsible for limiting “intentional or unintentional impermissible uses and disclosures” while protecting patient data.
“For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose,” the notice reads, adding that the “minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.”
Further, “Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.
“In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
Also, disclosures to the media and others not involved with the patient’s care are not allowed without a patient’s consent.
There are so many elements of health care compliance in play during this crucial time, and you may find it difficult to keep up with them to determine whether your practice is staying compliant. We at Chapman Law Group are here to help.
Our health law attorneys have been staying abreast of temporary state and federal changes to health policy and practice in the wake of Coronavirus. This includes adjustments to professional licensure requirements, how health care employers and employees should have proper protection and safety measures in place at the work site, and the broadening of telehealth.
Our four national offices are in Detroit, Michigan; Miami and Sarasota, Florida; and Los Angeles/Southern California. Contact us today so we may answer any questions you have about compliance and all other legal matters that concern your practice.
"*" indicates required fields
Miami Office
701 Waterford Way, Suite 340
Miami, FL 33126
Phone: (305) 712-7177
In “Physician Guide to Basic Compliance Concepts,” Chapman Law Group’s national healthcare compliance attorneys cover how to spot and avoid healthcare fraud, handling investigations and audits, and keeping your staff in the right.
COVID-19 will become one of the biggest compliance challenges in our lifetime, as new compliance and regulatory measures abound in the health care sector.
The HHS lays out circumstances for which COVID-19-related PHI can be released to first responders – without the patient’s authorization but in compliance with HIPAA.
Do you have the proper protection and safety measures in place to handle Coronavirus? More specifically, does your health care employer have these measures?
Michigan OFFICE
1441 W Long Lake Road
Suite 310
Troy, MI 48098
T. 248.644.6326
F. 248.644.6324
CALIFORNIA OFFICE
5250 Lankershim Blvd.
Ste. 500
North Hollywood, CA 91601
T. (818) 287-0576
FLORIDA OFFICES
6841 Energy Court
Suite 120
Sarasota, FL 34240
T. 941.893.3449
701 Waterford Way
Suite 340
Miami, FL 33126
T. 305.712.7177
Practice Areas
Attorneys
© CHAPMAN LAW GROUP. ALL RIGHTS RESERVED
