HHS Waiver of Sanctions and Penalties – Violations of HIPAA Privacy Rule Following Implementation of Hospital Disaster Protocol

On March 13, 2020, following President Donald J. Trump’s Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS) issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (SSA).  The purpose of the waiver is to make health care more accessible to Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) patients.  The waiver became effective on March 15, 2020, but has retroactive effect to March 1, 2020.  While it covers several different SSA requirements, in particular, the waiver touches upon certain HIPAA privacy requirements under section 1135(b)(7).

Under Section 1135(b)(7), the Secretary will waive sanctions and penalties against a covered hospital for noncompliance with the following requirements and obligations under the HIPAA Privacy Rule, beginning March 15, 2020:

• The requirement to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care pursuant to 45 C.F.R. § 164.510.
•  The requirement to honor a patient’s request to opt out of a facility’s directory pursuant to 45 C.F.R. § 164.510.
•  The requirement to distribute the notice of practice practices pursuant to 45 C.F.R. § 164.520.
•  The patient’s right to request privacy restrictions and confidential communications pursuant to 45 C.F.R. § 164.522.

While the 1135 Waiver generally applies for a period of 60 days (subject to extension) or the duration of the COVID-19 national emergency (whichever is earlier), the HIPAA Privacy Rule waiver has a limited application.  In particular, the HIPAA waiver applies only with respect to hospitals that have hospital disaster protocols and comes in effect for only 72 hours following a hospital’s implementation of its disaster protocol. HHS – Office for Civil Rights (OCR), the federal agency that enforces HIPAA, later clarified that, when the emergency declarations issued by the President and the Secretary of HHS terminate, the hospital must comply with all the requirements of the Privacy Rule for all patients under its care, even if the 72-hour time period has not expired since the implementation of its disaster protocol.

If you have additional questions or need further assistance, please feel free to reach out to Alessandra Swanson or your Winston relationship attorney.

View all of our COVID-19 perspectives here. Contact a member of our COVID-19 Legal Task Force here.