HIPAA Privacy & COVID-19: Remaining Compliant During an Emergency

Thoughtware Alert Mar 23, 2020
Health care professionals  meeting

On March 15, 2020, the secretary of the U.S. Department of Health & Human Services (HHS) announced the placement of a limited HIPAA waiver in response to the novel coronavirus disease 2019 (COVID-19). The waiver allows HIPAA-covered entities to disclose protected health information (PHI) during a disease outbreak without fear of noncompliance penalties. The waiver covers areas under the public health emergency and hospitals that have enacted their disaster protocol. Visit the HHS website for more information on the limited HIPAA waiver.

In conjunction, the Office for Civil Rights (OCR) has released an update to the HIPAA Privacy Rule for HIPAA-covered entities, business associates of HIPAA-covered entities and subcontractors of business associates during this disease outbreak. Entities include:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates of covered entities

Under the HIPAA privacy rule waiver, it is not necessary for a HIPAA-covered entity to obtain prior authorization to disclose or share PHI during a disease outbreak for the following reasons:

  • Treating a patient or coordinating treatment for a different patient
  • Collecting information for the CDC or state and/or local health departments
  • Assisting foreign government agencies that are collaborating with public health authorities
  • Preventing an imminent threat or spread of disease to a specific person or the general public
  • Notifying individuals caring for the patient, such as friends, family members, caregivers and anyone identified by the patient
  • Identifying or locating a patient to notify family members, guardians or individuals responsible for the patient’s care about a patient’s general condition
  • Working with law enforcement, the press or the public at large to identify or locate a patient
  • Coordinating with disaster relief organizations responding to emergencies for the purpose of notifying family members or others involved in patient care
  • Disclosing information about infections to the media

In addition, the OCR also has waived HIPAA penalties for telehealth services used by a covered healthcare provider during the COVID-19 emergency for any reason. Review the HHS' updates to the limited HIPAA rule.

As with most topics related to COVID-19, changes are being made rapidly. Please note that this information is current as of the date of publication.

Reach out to your BKD Trusted Advisor™ or submit the Contact Us form below if you have questions.

Kate & Ben — How can we help you? Contact Us!

How can we help you?