HIPAA Privacy Rule Updates
Amidst the novel coronavirus (COVID-19) outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS), Alex M. Azar, took steps on March 15, 2020, to waive sanctions and penalties related to certain provisions of the HIPAA Privacy Rule (the “Waiver”). However, the HIPAA Privacy Rule is not suspended, and the Waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
The Waiver pertains to the following provisions of the HIPAA Privacy Rule:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care under 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory under 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices under 45 CFR 164.520.
- The patient’s right to request privacy restrictions under 45 CFR 164.522(a).
- The patient’s right to request confidential communications under 45 CFR 164.522(b).
Simultaneously, HHS has posted a bulletin to provide guidance to providers that are facing the unique challenges imposed by COVID-19. Even without the Waiver, HHS reminds providers that the HIPAA Privacy Rule allows protected health information (PHI) to be shared under a number of different circumstances that are pertinent to the outbreak.
Safeguarding Patient Information
In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.
HIPAA Applies Only to Covered Entities and Business Associates
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.
Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.
The HIPAA Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply. Business Associates A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.