Acknowledging the “additional challenges” on health care providers following the outbreak of COVID-19, the Department of Health and Human Services (HHS) recently issued several waivers for covered entities to address the need to share patient information after the President declared a national emergency concerning COVID-19.

One of the waivers issued by HHS is to “waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver is effective as of March 15, 2020. The waiver is applicable only in reference to the COVID-19 declared emergency; only for hospitals that have “instituted a disaster protocol;” and “for up to 72 hours from the time the hospital implements its disaster protocol.”

The restrictions are confusing to covered entities and cause additional questions:

  • What if we have implemented contingent operations but not disaster protocols—does the waiver apply?
  • Do we have to institute disaster protocols instead of contingent operations?
  • How do we only address the waiver for the first 72 hours after the disaster protocols are implemented? For instance, does that mean that all of the rights listed above are only waived for 72 hours?
  • What happens after the first 72 hours after the hospital institutes its disaster protocol? Do the waivers no longer apply?
  • What is the logic or reasoning behind the waivers only being applicable for 72 hours?

It would be helpful if additional guidance was provided by HHS to these questions, as many covered entities are concerned about relying on the waivers when they are confusing or they are not sure of the intent. These are trying times for healthcare providers, and introducing further confusion into compliance efforts is particularly difficult for them.