What to Know About HIPAA Waivers During COVID-19

During the COVID-19 pandemic, many have said that HIPAA does not apply and that it has been waived. While there have been HIPAA waivers, there have only been two cases. First, on March 15, 2020, the Department of Health and Human Services (HHS) announced a limited HIPAA Privacy Rule waiver in place for areas covered by a public health emergency and only for hospitals that have implemented their disaster protocol. When either U.S. Presidential or DHHS secretarial declaration terminates the waiver, hospitals must then fully comply with the Privacy Rule requirements for all their patients under their care. This waiver applies to the following provisions of the HIPAA Privacy Rule:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
• The requirement to honor a request to opt out of the facility directory
• The requirement to distribute a notice of privacy practices
• The patient’s right to request privacy restrictions
• The patient’s right to request confidential communications

The second waiver stems from HHS’s understanding that some of the technologies providing telehealth services during this nationwide COVID-19 public health emergency may not be fully compliant with HIPAA rules. As such, on March 17, 2020, the HHS Office for Civil Rights (OCR) announced that it would waive potential HIPAA penalties in cases of good faith, while using telehealth through non-public-facing remote communication products that are currently available to communicate with patients. The waiver further states that this HIPAA enforcement discretion applies to telehealth services provided for any reason, regardless of whether the services are related to the diagnosis and treatment of health conditions related to COVID-19.

Healthcare providers should note that the enforcement discretion does not apply to public-facing video communication platforms such as Facebook Live, TikTok, and Twitch. Public-facing video communication applications are extremely insecure and should not be used for providing telehealth.

For more information in regards to HIPAA compliance during COVID-19, please reach out to Suzanne Miller at smiller@citrincooperman.com or Kevin Ricci at kricci@citrincooperman.com.