HHS Issues COVID-19 HIPAA Waivers

COVID-19 Update

Click here for COVID-19 guidance and information

The Department of Health and Human Services (HHS) has issued a waiver under Section 1135 of the Social Security Act to temporarily relieve hospitals of certain administrative obligations imposed under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. A summary of the waiver is provided below.

Scope of Waiver

On March 17, HHS exercised its waiver authority under Section 1135 of the Social Security Act to waive several administrative obligations imposed on hospitals under the HIPAA Privacy Rule. The waivers issued by HHS reflect the full scope of the HIPAA waiver authority granted to the agency under Section 1135. The HIPAA requirements covered by the waiver include the following:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The waiver relieves hospitals of the obligation to obtain the patient’s oral consent to speak with family members or friends about the patient’s medical care, even if the patient has the capacity to provide consent.
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). Under the waiver, a patient’s name can be included in the publicly accessible patient directory of a hospital even if the patient requests to be excluded from the directory.
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. This waiver relieves hospitals of the duty of seeking an acknowledgment of receipt of the notice from new patients. 
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a). Hospitals will not be required to process requests from patients for restrictions on the use or disclosure of their protected health information for generally permissible purposes, such as treatment, payment or healthcare operations.
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b). Hospitals will not be required to accommodate requests from patients to receive communications through alternative means or at alternative locations to ensure heightened confidentiality protection.

Providers Covered by the Waiver

The waiver does not apply to all HIPAA-covered entities or even all healthcare providers. It covers only hospitals that have instituted a disaster protocol. The waiver applies nationwide.

Duration of Waiver

This waiver became effective retroactively on March 15, 2020. It will remain in effect for 72 hours from the time a hospital issues its disaster protocol. In addition, the waiver will end when the public health emergency declared by HHS is over.

Impact of Waiver

The waiver will provide welcome temporary relief for hospitals from administrative duties that may slow down the admission and triage processes, and will allow hospitals to focus on clinical decision-making during a period of sharply increased patient volume. However, the waiver is narrow. It covers only a limited range of HIPAA obligations and is effective for only 72 hours following a hospital’s implementation of its disaster protocol.

It is worth noting that, in separate guidance regarding telehealth, the HHS Office for Civil Rights indicated it will “exercise enforcement discretion and waive penalties for HIPAA violations against healthcare providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.” By allowing hospitals to handle a substantially greater number of patient visits outside of hospital facilities, it seems likely that this waiver will have a much greater impact on hospital operations during the COVID-19 crisis than the Section 1135 waiver described above.