Although the HIPAA Privacy Rule, which restricts the use and disclosure of individuals’ protected health information, applies even during public health emergencies, federal law permits the Secretary of the U.S. Department of Health and Human Services (HHS) to waive some of its requirements in order to lessen the barriers of data sharing within the healthcare sector during a public health emergency.
The COVID-19 pandemic is such a public health emergency that has resulted in government action at every level. On January 31, 2020, HHS Secretary Alex M. Azar declared a public health emergency related to COVID-19. On March 13, 2020, President Donald J. Trump declared a nationwide emergency. According to an HHS Bulletin, “Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply” with specific provisions of the HIPAA Privacy Rule. The waiver went into effect on March 15, 2020, and applies to the following requirements:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt-out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
Importantly, Secretary Azar’s waiver applies only to hospitals that have instituted a disaster protocol. The waiver applies up to 72 hours from the time the hospital implements its disaster protocol or when the presidential or Secretarial declaration terminates – whichever is earlier. A hospital must then comply with the HIPAA Privacy Rule in its entirety.
HHS’ Bulletin makes clear that, even under public health emergencies, a covered entity must use reasonable efforts to ensure protected health information disclosed is limited to the minimum necessary information to achieve the purpose of the disclosure.