HHS Issues Limited HIPAA Waiver for Coronavirus Emergency

As it has previously done for specific geographic areas affected by hurricanes, on March 15, the U.S. Department of Health and Human Services (HHS) issued a HIPAA Bulletin providing for a limited waiver of HIPAA sanctions and penalties for covered entities during the current COVID-19 (coronavirus) public health emergency.

Such waiver is primarily intended to relax some of the administrative requirements under the HIPAA Privacy Rule for up to 72 hours, to lessen the administrative burdens on a hospital immediately after it institutes its disaster protocol. The waiver thereby give hospitals affected by the emergency a chance to catch up with a potential sudden influx of patients. After the waiver period expires, all provisions of the Privacy Rule again apply.

The majority of HHS’s bulletin template is devoted to reminding people of HIPAA provisions that already existed. For example, in an emergency, a hospital may share a patient’s information for legitimate public health reasons without his or her authorization, or inform third parties or the general public in certain situations that someone is a patient at the facility. Facilities already had broad flexibility to communicate as necessary or appropriate with patients’ relatives and friends, other care providers, disaster relief organizations, and the general public.

In issuing these bulletins, HHS takes the opportunity to remind providers that even in emergency situations, the HIPAA rules are already more flexible than many realize.