Effective March 15, 2020, Secretary of the U.S. Department of Health and Human Services, Alex M. Azar, exercised the emergency authority granted to him under Section 1 of the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (the “COVID-19 National Emergency Declaration”) to waive sanctions and penalties against a covered hospital for certain violations of the Health Insurance Portability and Accountability Act of 1996 (the “HIPAA Privacy Rule”). The HIPAA Privacy Rule generally addresses the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used by covered entities.
Secretary Azar’s Waiver of HIPAA Privacy Rule
In response to the COVID-19 Declaration of National Emergency and the January 31, 2020 COVID-19 Public Health Emergency Declaration by Secretary Azar determining that a public health emergency exists as of January 27, 2020, Secretary Azar exercised his emergency authority to waive sanctions and penalties against a covered hospital for a covered hospital’s failure to comply with the following provisions of the HIPAA Privacy Rule during the periods described in the section below, entitled “Waiver Period.” This limited waiver is explained in detail in a March 2020 COVID-19 & HIPAA Bulletin entitled “Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency.”
- Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification (45 CFR 164.510(b)). A covered entity may share protected health information with an individual’s family members, relatives, close personal friends or any other persons identified by a patient as involved in his or her care if the covered entity obtains verbal permission from an individual or reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure.
Waiver – A covered hospital will not be subject to sanctions or penalties if it fails to obtain an individual’s agreement to speak with his or her family members, relatives, close personal friends, or any other persons identified by an individual as involved in his or her care.
- Opportunity to Opt-Out of Use of Protected Health Information in Directory of Covered Entity (45 CFR 164.510(a)). A covered entity may maintain a directory of individuals in its facility containing the individual’s name, the location of the individual in the covered entity’s facility, the individual’s general medical condition, and the individual’s religious affiliation if the covered entity not only informs the individual that their protected health information will be included in the directory of the covered entity, but also gives an individual the right to opt-out of the directory of the covered entity.
Waiver – A covered hospital will not be subject to sanctions or penalties for not informing an individual that his or her protected health information will be included in the directory of the covered hospital or if it fails to honor an individual’s election to opt-out of the directory of the covered hospital.
- Notice of Privacy Practices for Protected Health Information (45 CFR 164.520). A covered entity is required to provide a written notice (e.g. Notice of Privacy Practices) as to how medical information of an individual may be used and disclosed and how the individual can get access to that information.
Waiver – A covered hospital will not be subject to sanctions or penalties for not providing an individual with a notice of the covered hospital’s privacy practices.
- Rights to Request Privacy Protection and Confidential Communications for Protected Health Information (45 CFR 164.522). A covered entity must permit an individual to request that the covered entity restrict uses or disclosures of protected health information about the individual (1) to carrying out treatment of the individual, (2) for payment or health care operations, or (3) to family members, relatives, close personal friends or any other persons identified by an individual as involved in his or her care that are otherwise permitted under the HIPAA Privacy Rule.
Waiver – A covered hospital will not be subject to sanctions or penalties for not permitting an individual to request privacy protection or from keeping communications confidential from family members, relatives, close personal friends or any other persons identified by an individual as involved in his or her care.
The limited waiver authorized by Secretary Azar only applies: (1) in an emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Hence, when the COVID-19 National Emergency Declaration and COVID-19 Public Health Emergency Declaration terminate, a covered hospital must then comply with all the requirements of the HIPAA Privacy Rule for any individual still under its care, even if 72 hours have not elapsed since implementation of the covered hospital’s disaster protocol.
COMPLIANCE AFTER POST-WAIVER PERIOD
After the end of the Waiver Period, a covered hospital must resume its practice of obtaining a signed authorization (a “HIPAA authorization form”) from an individual before using or disclosing their protected health information for the purposes exempted by the limited waiver. At all times, however, a covered hospital must still obtain a HIPAA authorization form before protected health information is disclosed (1) to a third party for reasons other than the provision of treatment, payment or other standard healthcare operations (e.g. disclosing information to an insurance underwriter), (2) for marketing or fund-raising purposes, (3) to a research organization, (4) related to psychotherapy notes, and (5) in connection with the sale of protected health information or sharing of such information that involves remuneration with other individuals or organizations. To that end, a HIPAA compliant HIPAA authorization form should, at least minimally, contain the following information:
- Name of individual authorizing the use or disclosure of protected health information
- Description of the protected health information that may be disclosed or used by the covered hospital/entity (e.g. disclosure of psychotherapy notes)
- Purpose for authorization of use or disclosure of protected health information
- Name(s) of the individuals or organizations to whom protected health information may be disclosed
- Expiration date or expiration event when authorization to use or disclose protected health information is withdrawn (for example, an expiration event may be when a power of attorney for health care is activated)
- Right to revoke the authorization
- Dated signature of individual or individual’s representative acknowledging the grant of authorization to use or disclose his or her protected health information.