A Limited Waiver of Sanctions for the HIPAA Privacy Rule Does Not Mean Covered Entities Can Ignore Their Responsibilities

Wes Morris, Managing Principal Consultant
Dawn Morgenstern, Senior Principal Consultant
George W. Jackson, Jr., Senior Principal Consultant

The Office for Civil Rights (OCR) issued a Limited Waiver of HIPAA Sanctions and Penalties (HIPAA Waiver) on March 16, 2020. As the name implies, the scope of the HIPAA Waiver is “Limited”. Organizations relying on the HIPAA Waiver need to be sure that they are both eligible for it and that their staffs’ conduct is covered by it. Otherwise, they may find themselves subject to complaints from their patients and unnecessary sanctions from OCR.

On March 13, 2020, US President Donald Trump proclaimed a national emergency concerning the Novel Coronavirus Disease (COVID-19) outbreak. In response to the proclamation, OCR issued a waiver of sanctions and penalties for non-compliance with certain required actions and responsibilities under the HIPAA Privacy Rule. The scope of the HIPAA Waiver includes only specific elements of the HIPAA Privacy Rule and not all HIPAA requirements. We encourage you to read the full text of the waiver here.

The purpose of this post is to ensure leaders and their workforce have a clear perspective of the intent of this waiver and its limited scope.

The HIPAA Waiver is temporary, limited, and applies only to hospitals that implement a disaster protocol.  As written, the waiver “only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.” Also, per the bulletin, “When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.”

Hospitals are still expected to meet the requirements of the Privacy Rule.  The only real change is in the imposition of sanctions and penalties.  This is not a time to throw the doors open and ignore these provisions.  Hospitals must continue to maintain compliance to the best of their abilities for the duration of the HIPAA Waiver.

We encourage continued adherence to the rules for two reasons. First, patients still have rights that covered entities must observe.  Second, as soon as the emergency is over, covered hospitals that were subject to the HIPAA Waiver for the key elements listed below would again be subject to the imposition of sanctions and penalties relating to those elements.

The key elements of the waiver are:

  • The requirement to obtain the patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

All other rights and responsibilities under the Privacy Rule continue to be fully enforceable during this public health emergency.  For those covered entities and business associates that do not meet the meaning of “covered hospital,” the Limited Waiver of sanctions and penalties would not apply under any circumstances for failure to comply with the key elements described above.

We encourage leaders to communicate with their workforce to train and reinforce the importance of maintaining organizational standards of excellence even during a public health emergency, especially in the face of unprecedented transitioning to telework and telehealth environments. The closer a hospital remains to the normal state of affairs in managing its responsibilities under the Privacy Rule, the easier the transition will be when the Limited Waiver is lifted and normal operations are restored.

The current situation is causing healthcare organizations to react as quickly as possible to a very fluid environment. Also, the high-profile nature of this crisis is driving demand for real-time information on the spread and impact of COVID-19. Healthcare organizations need to be very careful not to introduce new unnecessary risks into their businesses including compliance risks.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement Explained

Assumed Breach Simulation: Lateral Movement Explained

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.

Connect
With Us