Blog Series: Staying HIPAA Compliant During COVID-19
Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis
Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis
Margaret Scavotto, JD, CHC, President, MPA, St. Louis
Today is day four of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.
What HIPAA requirements are waived during COVID-19?
On March 16, the Office for Civil Rights (OCR) issued a bulletin in response to the COVID-19 outbreak: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency. For providers who followed the OCR’s waivers during Hurricanes Irma or Michael, this waiver should look familiar to you.
Who is covered by the waiver?
This waiver only applies to covered hospitals. All other providers must continue to follow HIPAA fully (with some leeway given under the Telehealth Waiver).
Under this waiver, as of March 15, 2020, the OCR waives sanctions and penalties against hospitals that do not follow these HIPAA Privacy Rule provisions:
- the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient's right to request confidential communications. See 45 CFR 164.522(b)
The waiver ONLY applies to the COVID-19 public health emergency. To get the benefits of the waiver. Hospitals must:
- have a disaster protocol in place
- use the waiver for a maximum of 72 hours from the time the disaster protocol is implemented
- resume complying with the Privacy Rule when the public health emergency ends.
What’s not waived?
The OCR’s waiver alert provides guidance on HIPAA practices that are not waived, and should be followed during the COVID-19 pandemic. Here is what is NOT waived:
- The REST of the Privacy Rule. All Privacy Rule provisions not listed in the waiver must still be followed. Perhaps most importantly, providers must continue to follow the Minimum Necessary Rule wen making disclosures.
- The waivers do NOT change how providers can communicate with the media. Follow your directory. For all other requests, get an authorization.
- The Security Rule is NOT waived. Providers must still safeguard patient information with administrative, physical, and technical safeguards. With employees working from home and cyber scams on the rise, provider should take extra security precautions.
We encourage you to read the OCR’s Alert in its entirety to familiarize yourself with all of the OCR’s recommendations and reminders.