HHS Responds to COVID-19 Pandemic By Waiving Certain HIPAA Penalties and Sanctions for Hospitals
Effective March 15, the U.S. Department of Health and Human Services (HHS), in response to President Trump's declaration of a nationwide emergency concerning COVID-19 and Secretary Azar's earlier declaration of a public health emergency, announced that certain requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule would be waived for hospitals covered under HIPAA.
Until the public health emergency caused by the spread of COVID-19 ends, covered hospitals will not be penalized or sanctioned for failing to comply with the following provisions of the Privacy Rule:
- the requirement to obtain a patient's agreement to speak with family members or friends involved in the patient's care, 45 CFR 164.510(b)
- the requirement to honor a request to opt out of the facility directory, 45 CFR 164.510(a)
- the requirement to distribute a notice of privacy practices, 45 CFR 164.520
- the patient's right to request privacy restrictions, 45 CFR 164.522(a)
- the patient's right to request confidential communications, 45 CFR 164.522(b)
These waivers apply only in the emergency area identified in the public health emergency declaration, to a hospital that has instituted its disaster protocols, and for up to 72 hours from the time the hospital implements its disaster protocol.
The Privacy Rule is otherwise not suspended, and entities and business associates covered by HIPAA are still required to comply with the Privacy Rule. While the recent waivers are limited to the above-listed provisions and only applicable to covered hospitals, other covered entities and business associates are permitted to share patient information for treatment, payment, health care operations, and public health activities; to prevent or lessen a serious and imminent threat; and for other purposes authorized by HIPAA.
For the full HHS bulletin, see here.
For more Day Pitney alerts and articles related to the impact of COVID-19, as well as information from other reliable sources, please visit our COVID-19 Resource Center.
COVID-19 DISCLAIMER: As you are aware, as a result of the COVID-19 pandemic, things are changing quickly and the effect, enforceability and interpretation of laws may be affected by future events. The material set forth in this document is not an unequivocal statement of law, but instead represents our best interpretation of where things stand as of the date of first publication. We have not attempted to address the potential impacts of all local, state and federal orders that may have been issued in response to the COVID-19 pandemic.
Recommended
The arrival of Day Pitney Counsel Laura Land Himelstein was featured in the New York Law Journal's Attorneys 'On the Move' column.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – July 2024
Day Pitney Tax Partner Ryan Leichsenring authored an article for the Hartford Business Journal titled, "Here's How to Avoid Common Pitfalls When Managing Charitable Assets."
The news of Ryan Leichsenring joining Day Pitney as a partner in the firm's Tax practice was featured in Thomson Reuters' The Daily Docket Industry Moves column.
Day Pitney Data Privacy Associate Stephanie M. Gomes-Ganhão authored the article "A Review of Part 2: Consider a More Flexible Compliance Program in the Wake of the Revised Rules," for the Journal of Health Care Compliance.
Hartford-based healthcare attorneys Stephanie Gomes-Ganhão and Phoebe Roth authored the article, "Valuable OIG Compliance Advice for New Healthcare Entrants," in the May edition of The Health Care Compliance Association's (HCCA) monthly magazine Compliance Today.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – April 2024