HHS Issues Confusing Limited Waiver on Sharing of Patient Information Following COVID-19
Wednesday, March 18, 2020
coronavirus in the nursing ward
Print Mail Download i

Acknowledging the “additional challenges” on health care providers following the outbreak of COVID-19, the Department of Health and Human Services (HHS) recently issued several waivers for covered entities to address the need to share patient information after the President declared a national emergency concerning COVID-19.

One of the waivers issued by HHS is to “waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).

  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver is effective as of March 15, 2020. The waiver is applicable only in reference to the COVID-19 declared emergency; only for hospitals that have “instituted a disaster protocol;” and “for up to 72 hours from the time the hospital implements its disaster protocol.”

The restrictions are confusing to covered entities and cause additional questions:

  • What if we have implemented contingent operations but not disaster protocols—does the waiver apply?

  • Do we have to institute disaster protocols instead of contingent operations?

  • How do we only address the waiver for the first 72 hours after the disaster protocols are implemented? For instance, does that mean that all of the rights listed above are only waived for 72 hours?

  • What happens after the first 72 hours after the hospital institutes its disaster protocol? Do the waivers no longer apply?

  • What is the logic or reasoning behind the waivers only being applicable for 72 hours?

It would be helpful if additional guidance was provided by HHS to these questions, as many covered entities are concerned about relying on the waivers when they are confusing or they are not sure of the intent. These are trying times for healthcare providers, and introducing further confusion into compliance efforts is particularly difficult for them.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins