HIPAA Waiver During the COVID-19 Public Health Emergency


Effective March 15, 2020, the Secretary of United States Department of Health and Human Services (HHS) announced a temporary limited waiver on certain requirements under the Health Insurance Portability and Accountability Act (HIPAA) during the COVID-19 Public Health Emergency. We have summarized the key points from the waiver below. The full-text of the waiver is available here .

For the duration of the COVID -19 Public Health Emergency, the Secretary has waived sanctions for the following provisions in the HIPAA Privacy Rule:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care, 45 CFR 164.510(b);
  • The requirement to honor a request to opt out of the facility directory, 45 CFR 164.510(a);
  • The requirement to distribute a notice of privacy practices, 45 CFR 164.520;
  • The patient’s right to request privacy restrictions, 45 CFR 164.522(a); and
  • The patient’s right to request confidential communications, 45 CFR 164.522(b).

Please be advised that the Secretary’s waiver only applies in the following circumstances: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have implemented a disaster protocol; and (3) for up to 72 hours from the time the hospital implements the disaster protocol.

Nonetheless, pursuant to limited HIPAA exceptions and with a patient written consent, providers can share certain information. The HHS Office for Civil Rights, tasked with enforcing HIPAA, released a bulletin to clarify how protected heath information (PHI) may be shared during an outbreak of an infectious disease. The full bulletin is available for review here . The key points from the OCR bulletin are as follows:

  • The bulletin addresses disclosure of PHI permitted without patient consent, such as sharing PHI for treatment purposes, coordinating and managing care, and for patient referrals;
  • The covered entities may disclose a patient’s PHI as necessary to treat the patient or to treat a different patient;
  • PHI may be disclosed for public health activities (i.e. preventing and controlling the spread of disease), such as disclosure to CDC or state or local health departments;
  • Any disclosure of PHI must be restricted to the minimum necessary information to achieve the purpose for disclosure;
  • All information about an identifiable patient such as tests, test results, or details of illness or treatment must remain confidential; and
  • Telehealth providers must be aware that—despite modifying certain HIPAA requirements for the duration of the COVID-19 Public Health Emergency—HIPAA as a whole, as well as state confidentiality laws and regulations have not been waived. As such, all providers must conduct their services within the bounds of this HIPAA waiver and state confidentiality law requirements.

As the situation keeps evolving, guidance from regulators changes rapidly. We will continue to monitor the situation to help you stay informed about the latest updates.
This alert is intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have. We are fully operational during this pandemic and stand ready to assist as you navigate this ongoing and developing COVID-19 situation. Please do not hesitate to contact any member of our response team with your questions and concerns.