HIPAA Sanctions Relaxed As Coronavirus Carries On

The health care law attorneys at Chapman Law Group discuss compliance and regulatory matters health care practitioners should know in the wake of the Coronavirus.

As the number of Coronavirus (COVID-19) diagnoses increases across the U.S., Secretary of Health and Human Services (HHS) Alex Azar recently declared a temporary waiver for certain HIPAA Privacy Rule sanctions for hospitals.

Per the Privacy Rule of the Project BioShield Act of 2004, Azar on March 15, 2020, announced his electing to waive the HIPAA provisions found in 45 CFR, which means that hospitals won’t be penalized if they fail to:

  • Obtain a patient’s agreement to speak with family members or friends involved in that patient’s care
  • Honor a request to opt out of the facility directory
  • Distribute a notice of privacy practices
  • Honor the patient’s right to request privacy restrictions
  • Honor the patient’s right to request confidential communications

The HHS noted that this waiver only applies to either health care providers that are in the emergency area identified in the public health emergency declaration, or hospitals that have put together a disaster protocol. The waiver also applies for only up to 72 hours from the time a hospital makes that emergency declaration.

Azar’s declaration comes nearly two months since the HHS first declared the Coronavirus a public health emergency. Since then, the health care practice sector has found it difficult to share critical information on COVID-19 carriers — keeping emergency personnel, public health officials and family members of those carriers grounded.

What Can Be Shared Under HIPAA Without a Waiver

In his order, Azar notes that the HIPAA Privacy Rule has privacy and disclosure provisions that apply even without a waiver in place.

For example, “covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.”

Under the HIPAA waiver, a covered health care entity can share a patient’s protected health information with the patient’s “family members, friends, or other persons identified by the patient as involved in the patient’s care.”

The health care facility also can use that information “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death,” by disclosing that information to “the police, the press, or the public at large.”

HIPAA also permits health information data to be shared for public health organizations (such as the Centers for Disease Control and Prevention or a local health department) and initiatives that aim to improve public health and safety in order to prevent or control diseases.

What Is Limited Under HIPAA

Azar’s declaration also emphasizes that health care providers are still responsible for limiting “intentional or unintentional impermissible uses and disclosures” while protecting patient data.

“For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose,” the notice reads, adding that the “minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.”

Further, “Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.

“In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”

Also, disclosures to the media and others not involved with the patient’s care are not allowed without a patient’s consent.

We Are Here to Answer Your HIPAA Questions

There are so many elements of health care compliance in play during this crucial time, and you may find it difficult to keep up with them to determine whether your practice is staying compliant. We at Chapman Law Group are here to help.

Our health law attorneys have been staying abreast of temporary state and federal changes to health policy and practice in the wake of Coronavirus. This includes adjustments to professional licensure requirements, how health care employers and employees should have proper protection and safety measures in place at the work site, and the broadening of telehealth.

Our four national offices are in Detroit, MichiganMiami and Sarasota, Florida; and Los Angeles/Southern California. Contact us today so we may answer any questions you have about compliance and all other legal matters that concern your practice.

Need an Attorney? Contact us now!
or Call us at: 1 (877) 234-5911

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Related Attorneys

Juan C. Santos, LL.M.

Senior Attorney

Healthcare Compliance, Healthcare Fraud Defense

Miami Office
701 Waterford Way, Suite 340
Miami, FL 33126
Phone: (305) 712-7177

Recent Posts

Related Posts

Blog Categories

Blog Archives

Chapman Law Group Favicon

This website uses cookies to ensure you get the best experience on our website.

Send this to a friend