HHS Issues Confusing Limited Waiver on Sharing of Patient Information Following COVID-19

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

Acknowledging the “additional challenges” on health care providers following the outbreak of COVID-19, the Department of Health and Human Services (HHS) recently issued several waivers for covered entities to address the need to share patient information after the President declared a national emergency concerning COVID-19.

One of the waivers issued by HHS is to “waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver is effective as of March 15, 2020. The waiver is applicable only in reference to the COVID-19 declared emergency; only for hospitals that have “instituted a disaster protocol;” and “for up to 72 hours from the time the hospital implements its disaster protocol.”

The restrictions are confusing to covered entities and cause additional questions:

  • What if we have implemented contingent operations but not disaster protocols—does the waiver apply?
  • Do we have to institute disaster protocols instead of contingent operations?
  • How do we only address the waiver for the first 72 hours after the disaster protocols are implemented? For instance, does that mean that all of the rights listed above are only waived for 72 hours?
  • What happens after the first 72 hours after the hospital institutes its disaster protocol? Do the waivers no longer apply?
  • What is the logic or reasoning behind the waivers only being applicable for 72 hours?

It would be helpful if additional guidance was provided by HHS to these questions, as many covered entities are concerned about relying on the waivers when they are confusing or they are not sure of the intent. These are trying times for healthcare providers, and introducing further confusion into compliance efforts is particularly difficult for them.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide