Limited Suspension of HIPAA Sanctions and Penalties During National Emergency

In response to President Trump's declaration of a national emergency concerning COVID-19, the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of sanctions and penalties against covered hospitals for certain HIPAA Privacy Rule requirements. The waiver is effective March 15, 2020, and only applies:

• in the emergency area identified in the public health emergency declaration;
• to hospitals that have instituted a disaster protocol; and
• for up to 72 hours from the time the hospital implements its disaster protocol.

Specifically, HHS is waiving sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

• The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. See 45 CFR 164.510(b).
• The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
• The patient's right to request confidential communications. See 45 CFR 164.522(b).

When the Presidential or Secretarial declaration of the national emergency terminates, a hospital must then comply with all the requirements of the HIPAA Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

Read the guidance published by the HHS Office of Civil Rights (PDF)