HIPAA Privacy RuleDuring an emergency or public health crisis, some elements of the HIPAA Privacy Rule may be waived. As of March 15, 2020, the Secretary of the Department of Health and Human Services (HHS), issued an emergency Privacy Rule waiver in response to the COVID-19 health crisis.

A HIPAA Privacy Rule waiver is issued to facilitate quick response to public health issues, temporarily waiving fines associated with certain disclosures. The following discusses the Privacy Rule waiver in more detail.

What Conditions Enable the HIPAA Privacy Rule Waiver?

There are two conditions that must be met before the Secretary may issue an emergency HIPAA Privacy Rule waiver:

  • The President declares an emergency or disaster; and
  • The Secretary of HHS declares a public health emergency.

In regards to the COVID-19 crisis, both conditions have been met. However, the waiver is a temporary measure, and only applies:

  • To the area identified in the public health emergency declaration.
  • To covered entities that have instituted a disaster protocol.
  • For up to 72 hours from the time the disaster protocol is implemented.

If the President or Secretary terminates the emergency declaration, the Privacy Rule waiver no longer applies.

Which HIPAA Privacy Rule Provisions are Waived?

The HIPAA Privacy Rule waiver applies to the following:

  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.
  • The requirement to obtain a patient’s consent to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of a covered entity’s facility directory.

Under the Privacy Rule waiver, protected health information (PHI) may be disclosed, without prior patient consent, to public health authorities to protect public health and safety. Additionally, PHI may be disclosed without prior consent to individuals involved in the patient’s care such as family members, friends, and caregivers.

Minimum Necessary Standard and Emergencies

Even in the case of emergency, the minimum necessary standard must be upheld. All disclosures of PHI must be restricted to what is necessary for public health and safety.

For more information on HIPAA Privacy Rule Waivers, please click here.