Specifically, the Secretary of HHS will:
"waive sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations: (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (as set forth in 45 C.F.R. § 164.510); (b) the requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (as set forth in 45 C.F.R. § 164.522); but in each case, only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect."
Basically, HIPAA is still fully operational during this emergency. However, there's a little flexibility with respect to issues involving notifying friends and family members (in an emergency, you don't want sick people unaccounted for because the provider is afraid to reach out to family and friends of the ill individual), and if a covered entity fails to deliver a Notice of Privacy Practices in the frantic rush to care for people in an epidemic, OCR will forgive that sin.
However, the rest of HIPAA is still in effect as before. But that's OK, because, as you'll learn more from me soon (watch this space), one of the beauties of HIPAA is that is operationally flexible and based on a rule of reason, so that it works equally well in fair weather or foul.
Like I said, more to come.
UPDATE: HHS has now
issued a bulletin specific to HIPAA (the prior one referenced EMTALA and several other federal laws and regulations). Again they note the same provisions (splitting the first and third into 2 parts):
• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient's right to request confidential communications. See 45 CFR 164.522(b)
The bulletin also adds specific limited circumstances when the provisions are waived: "only (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol."
More importantly, they point out a lot of the ways HIPAA continues to work, and how to make it work in these unique times (more specifically, they point out when HIPAA otherwise permits covered entities and business associates to disclose PHI). Read the bulletin for more information.
