A Limited Waiver of Sanctions for the HIPAA Privacy Rule Does Not Mean Covered Entities Can Ignore Their Responsibilities

Wes Morris, Managing Principal Consultant
Dawn Morgenstern, Senior Principal Consultant
George W. Jackson, Jr., Senior Principal Consultant

The Office for Civil Rights (OCR) issued a Limited Waiver of HIPAA Sanctions and Penalties (HIPAA Waiver) on March 16, 2020. As the name implies, the scope of the HIPAA Waiver is “Limited”. Organizations relying on the HIPAA Waiver need to be sure that they are both eligible for it and that their staffs’ conduct is covered by it. Otherwise, they may find themselves subject to complaints from their patients and unnecessary sanctions from OCR.

On March 13, 2020, US President Donald Trump proclaimed a national emergency concerning the Novel Coronavirus Disease (COVID-19) outbreak. In response to the proclamation, OCR issued a waiver of sanctions and penalties for non-compliance with certain required actions and responsibilities under the HIPAA Privacy Rule. The scope of the HIPAA Waiver includes only specific elements of the HIPAA Privacy Rule and not all HIPAA requirements. We encourage you to read the full text of the waiver here.

The purpose of this post is to ensure leaders and their workforce have a clear perspective of the intent of this waiver and its limited scope.

The HIPAA Waiver is temporary, limited, and applies only to hospitals that implement a disaster protocol.  As written, the waiver “only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.” Also, per the bulletin, “When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.”

Hospitals are still expected to meet the requirements of the Privacy Rule.  The only real change is in the imposition of sanctions and penalties.  This is not a time to throw the doors open and ignore these provisions.  Hospitals must continue to maintain compliance to the best of their abilities for the duration of the HIPAA Waiver.

We encourage continued adherence to the rules for two reasons. First, patients still have rights that covered entities must observe.  Second, as soon as the emergency is over, covered hospitals that were subject to the HIPAA Waiver for the key elements listed below would again be subject to the imposition of sanctions and penalties relating to those elements.

The key elements of the waiver are:

  • The requirement to obtain the patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

All other rights and responsibilities under the Privacy Rule continue to be fully enforceable during this public health emergency.  For those covered entities and business associates that do not meet the meaning of “covered hospital,” the Limited Waiver of sanctions and penalties would not apply under any circumstances for failure to comply with the key elements described above.

We encourage leaders to communicate with their workforce to train and reinforce the importance of maintaining organizational standards of excellence even during a public health emergency, especially in the face of unprecedented transitioning to telework and telehealth environments. The closer a hospital remains to the normal state of affairs in managing its responsibilities under the Privacy Rule, the easier the transition will be when the Limited Waiver is lifted and normal operations are restored.

The current situation is causing healthcare organizations to react as quickly as possible to a very fluid environment. Also, the high-profile nature of this crisis is driving demand for real-time information on the spread and impact of COVID-19. Healthcare organizations need to be very careful not to introduce new unnecessary risks into their businesses including compliance risks.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us