Following the declaration of a national emergency due to the Covid-19 Virus, the US Department of Health and Human Services has announced that there will be a limited waiver of penalties and sanctions against hospitals for some HIPAA privacy rule violations.
To summarize the waiver, it is effective from March 15, 2020, and applies when:
- in the emergency area identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol.
HIPAA is waiving sanctions and penalties against a covered hospital that is not complying with the following provisions of the HIPAA privacy rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt-out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
Following the conclusion of the National Emergency by either the President or the Secretary of the HHS, a hospital must then comply with all the requirements of the HIPAA Privacy Rule for any patent under its care, even if 72 hours have not passed following the implementation of its disaster protocol.