In response to the nationwide emergency declaration and the public health emergency declaration related to the COVID-19 pandemic, the Secretary of Health and Human Services (“HHS”) issued a Bulletin entitled, “COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency,” which announced the Secretary’s decision to exercise his authority, under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act, to waive certain provision of the HIPAA Privacy Rule during the COVID-19 pandemic/national emergency. The waiver was effective March 15, 2020.
While the HIPAA Privacy Rule is not suspended during the COVID emergency, the Secretary announced HHS would waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 C.F.R. 164.510(b);
- the requirement to honor a request to opt out of the facility directory. See 45 C.F.R. 164.510(a);
- the requirement to distribute a notice of privacy practices. See 45 C.F.R. 164.520;
- the patient’s right to request privacy restrictions. See 45 C.F.R. 164.522(a); and
- the patient’s right to request confidential communications. See 45 C.F.R. 164.522(b).
Note that the waiver applies only: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
The Bulletin also summarized situations in which patient information can be shared in emergency situations, even without a waiver, such as for treatment purposes, public health activities, disclosures to family, friends and others involved in a patient’s care and with disaster relief organizations, disclosures to prevent or lessen a serious and imminent threat, disclosures to the media or others not involved in the care of the patient/notification. The Bulletin also noted that business associates of covered entities may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate if authorized by the business associate agreement with the covered entity.
Subsequently, on April 2, 2020, the HHS Office for Civil Rights (“OCR”) issued a Notification, effective as of April 2nd, that it would exercise its enforcement discretion and would not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against covered entity health care providers or their business associates for good faith uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 emergency.
The purpose of the Notification is to facilitate uses and disclosures of protected health information with agencies and authorities like the Centers for Disease Control and Prevention (“CDC”), the Centers for Medicare and Medicaid Services (“CMS”), state and local health departments and state emergency operations centers that require access to patient information related to COVID-19.
Under normal circumstances (i.e., no COVID-19 waiver of enforcement discretion), a business associate would only be able to use and disclose PHI for public health and health oversight activities if specifically permitted in the terms of the business associate agreement with the covered entity. The waiver of enforcement permits these uses and disclosures even if not provided for in the terms of the existing business associate agreement between the parties.
OCR stated that it will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under certain Privacy Rule provisions (45 C.F.R. §§ 164.502(a)(3), 164.502(e)(2), and 164.504(e)(1) and (5)) if, and only if:
- the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 C.F.R. 164.512(b), or health oversight activities consistent with 45 C.F.R. § 164.512(d); and
- the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
For example, “good faith” uses or disclosures covered by the Notification include:
- Uses and disclosures for or to the CDC or similar state level public health authorities for purposes of preventing or controlling the spread of COVID-19; or
- Uses or disclosures to CMS or a similar state level health care oversight agency needed to oversee or provide assistance for the health care system in connection with COVID-10 response.
The OCR reminded covered entity health care providers and their business associates that the waiver of enforcement discretion described in the Notification does not extend to other requirements of the HIPAA Privacy Rule, or to the HIPAA Security and Breach Notification Rules applicable to covered entities and business associates.
The Bulletin and Notification should provide more flexibility to covered entities and business associates to use and disclose PHI in responding to the COVID-19 pandemic.