Due to the COVID-19 emergency, HHS applies waivers on HIPAA policy and sanctions for hospitals

The global coronavirus/COVID-19 outbreak has impacted even the least expected areas, such as data protection standards. The Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued important notices establishing a limited waiver of compliance with the Privacy Rules included in the Health Insurance Portability and Accountability Act (HIPAA). Simply put, hospitals will be able to bypass some patient data protection rules and procedures to speed up the virus fight process and alert others on potential contagion.

For now, the exemption only applies to health care facilities located in areas of the United States where it has been declared an emergency state and only within the next three days of such a declaration, although the waiver period is likely to be extended Indefinitely.

It should be remembered that the media and the general public will still be unable to publish any information related to a patient infected with coronavirus without the written permission of the patient or a legal representative.

To be precise, the OCR launched two bulletins; in the first, the Limited Waiver from the rules and sanctions established in HIPAA arising from the national emergency declaration for the COVID-19 outbreak was reported. Accordingly, HHS will not track possible violations of the following requirements, set out in the HIPAA Privacy Rules:

  • Obtaining patient consent to speak with family or friends involved in their care
  • Filing an application for exclusion from the hospital directory
  • Distribution of a Notice of Privacy Practices
  • Presenting information to patients about their right to request privacy restrictions and confidential communications

This kind of measure is implemented in the event of natural disasters, so the three-day period is usually more than enough. However, due to the characteristics of this emergency, the waiver may be extended as long as the U.S. federal government deems necessary.

The second bulletin issued by the OCR refers to a Notice of Enforcement Discretion whereby HHS waives the application of HIPAA sanctions during the COVID-19 emergency related to distance health services.

In this way, any healthcare provider may communicate with a patient through any teleconference or video call platform without strictly ad adhered to HIPAA procedures.  

Health service providers may use apps and platforms such as FaceTime, Facebook Messenger Videochat, Skype Zoom, or other video conferencing platforms to provide remote consultations. In addition, the OCR advised medical service firms to avoid the use of other platforms and applications, such as Facebook Live, TikTok, or Twitch because it believes their use could pose privacy and information security risks.

While privacy and data protection are critical to any medical service user, the emergence of the COVID-19 outbreak requires public institutions to take a more flexible stance, at least until public health risks decrease.