Following a declaration of a national emergency by President Trump, on March 15th, the HHS announced that they would temporarily waive some penalties and sanctions for violations of the HIPAA Privacy Rule. Effective March 15th, the waiver applied:
- in the emergency area identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol
- for up to 72 hours from the time the hospital implements its disaster protocol.
HIPAA is waiving sanctions and penalties against a covered hospital that is not complying with the following provisions of the HIPAA privacy rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt-out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
Following the conclusion of the National Emergency by either the President or the Secretary of the HHS, a hospital must then comply with all the requirements of the HIPAA Privacy Rule for any patent under its care, even if 72 hours have not passed following the implementation of its disaster protocol.
The intended effect of this waiver was that it allowed covered entities to use platforms like Zoom, Google Hangouts, and Skype to offer telehealth services, which were not compliant with the standards set by the HIPAA law because they were never intended to be used for this purpose.
However, what is clear is that while these current waivers will not continue indefinitely, telehealth and its benefits will continue to stick. Therefore, the responsibility will continue to lie on the covered entities to comply with the regulations of the Privacy Rule. Rather than waiting for the President or the HHS to conclude the State of Emergency, these organizations should work to ensure that their telehealth platforms are compliant with HIPAA, or find alternative solutions.