May 26, 2020

HHS Issues Confusing Limited Waiver on Sharing of Patient Information Following COVID-19

Acknowledging the “additional challenges” on health care providers following the outbreak of COVID-19, the Department of Health and Human Services (HHS) recently issued several waivers for covered entities to address the need to share patient information after the President declared a national emergency concerning COVID-19.

One of the waivers issued by HHS is to “waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).

  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver is effective as of March 15, 2020. The waiver is applicable only in reference to the COVID-19 declared emergency; only for hospitals that have “instituted a disaster protocol;” and “for up to 72 hours from the time the hospital implements its disaster protocol.”

The restrictions are confusing to covered entities and cause additional questions:

  • What if we have implemented contingent operations but not disaster protocols—does the waiver apply?

  • Do we have to institute disaster protocols instead of contingent operations?

  • How do we only address the waiver for the first 72 hours after the disaster protocols are implemented? For instance, does that mean that all of the rights listed above are only waived for 72 hours?

  • What happens after the first 72 hours after the hospital institutes its disaster protocol? Do the waivers no longer apply?

  • What is the logic or reasoning behind the waivers only being applicable for 72 hours?

It would be helpful if additional guidance was provided by HHS to these questions, as many covered entities are concerned about relying on the waivers when they are confusing or they are not sure of the intent. These are trying times for healthcare providers, and introducing further confusion into compliance efforts is particularly difficult for them.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353