HHS Releases Bulletin Waiving Certain Provisions of HIPAA

Written by: Chase Langhorne, Esq.

The U.S. Department of Health and Human Services (“HHS”) released a bulletin this week waiving sanctions and penalties as of March 15, 2020 for non-compliance with certain provisions of HIPAA.

The waiver centers around allowing people on the front lines to adequately handle and manage COVID-19 cases. Specifically, HHS is waiving sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA privacy Rule:

• the requirement that a covered hospital obtain a patient’s consent to speak with family members or friends involved in the patient’s case.
• the requirement to honor a request to opt out of the facility directory.
• the requirement to distribute a notice of privacy practices.
• the patient’s right to request privacy restrictions.
• the patient’s right to request confidential communications.

The abovementioned items, while important, slow down a medical provider’s ability to provide care quickly and efficiently.

Duty to Safeguard Patient Information

Possibly more important than sanctions being waived for the violation of certain provisions of HIPAA, are the provisions for which sanctions are not waived. HHS did not waive a medical provider’s general obligation to safeguard patient information. It is extremely important to safeguard patient information under normal circumstances, but even more important to maintain those security measures in times of crisis. There are always people with bad motives looking to capitalize on a crisis. We have already seen two different variants of ransomware (named COVID-19 and CovidLock), created by hackers as a result of this pandemic, that are designed to encrypt medical records.

Duty to Report HIPAA Breaches

HHS did not waive or extend the 60-day time limit for medical providers to notify affected patients of a breach of their protected health information.