During an emergency or public health crisis, some elements of the HIPAA Privacy Rule may be waived. As of March 15, 2020, the Secretary of the Department of Health and Human Services (HHS), issued an emergency HIPAA Privacy Rule waiver in response to the COVID-19 health crisis.
A HIPAA Privacy Rule waiver is issued to facilitate quick response to public health issues, temporarily waiving fines associated with certain disclosures. The following discusses the HIPAA Privacy Rule waiver in more detail.
What Conditions Enable the HIPAA Privacy Rule Waiver?
There are two conditions that must be met before the Secretary may issue an emergency HIPAA Privacy Rule waiver:
- The President declares an emergency or disaster; and
- The Secretary of HHS declares a public health emergency.
In regards to the COVID-19 crisis, both conditions have been met. However, the waiver is a temporary measure, and only applies:
- To the area identified in the public health emergency declaration.
- To covered entities that have instituted a disaster protocol.
- For up to 72 hours from the time the disaster protocol is implemented.
If the President or Secretary terminates the emergency declaration, the HIPAA Privacy Rule waiver no longer applies.
Which HIPAA Privacy Rule Provisions are Waived?
The HIPAA Privacy Rule waiver applies to the following:
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
- The requirement to obtain a patient’s consent to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt out of a covered entity’s facility directory.
Under the Privacy Rule waiver, protected health information (PHI) may be disclosed, without prior patient consent, to public health authorities to protect public health and safety. Additionally, PHI may be disclosed without prior consent to individuals involved in the patient’s care such as family members, friends, and caregivers.
Minimum Necessary Standard and Emergencies
Even in the case of emergency, the minimum necessary standard must be upheld. All disclosures of PHI must be restricted to what is necessary for public health and safety.
For more information on HIPAA Privacy Rule Waivers, please click here.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.