Home 5 Articles 5 HHS Waives HIPAA Sanctions and Penalties

HHS Waives HIPAA Sanctions and Penalties

by | Mar 30, 2020 | Articles, Essential, Lab Compliance Advisor

There is no doubt that we are in the midst of a national crisis, and in such times, rules have to be bent. That is happening with some parts of the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA). In response to the Trump administration’s declaration on March 13 that the COVID-19 outbreak is a national emergency, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar exercised his authority to waive sanctions and penalties against covered hospitals that do not comply with some parts of the Privacy Rules of HIPAA. The waiver became effective on March 15, 2020, but is retroactive to March 1, 2020. Background Under HIPAA, in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of HIPAA’s Security Rule to electronic protected health information. What does the Waiver Do?  Secretary Azar exercised his authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule: The requirements to obtain […]

There is no doubt that we are in the midst of a national crisis, and in such times, rules have to be bent. That is happening with some parts of the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA). In response to the Trump administration’s declaration on March 13 that the COVID-19 outbreak is a national emergency, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar exercised his authority to waive sanctions and penalties against covered hospitals that do not comply with some parts of the Privacy Rules of HIPAA. The waiver became effective on March 15, 2020, but is retroactive to March 1, 2020.

Background

Under HIPAA, in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of HIPAA’s Security Rule to electronic protected health information.

What does the Waiver Do?

 Secretary Azar exercised his authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

The waiver, however, is somewhat limited. The waiver only applies:

  • In the emergency area identified in the public health emergency declaration.
  • To hospitals that have instituted a disaster protocol, and
  • For up to 72 hours from the time the hospital implements its disaster protocol.

How Long is the Waiver for?

When the Presidential or Secretarial declaration terminates, hospitals must then comply with all the requirements of HIPAA’s Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

 

 

 

Subscribe to view Essential

Start a Free Trial for immediate access to this article