HHS Waiver of Certain HIPAA Privacy Rule Sanctions and Penalties, and Existing HIPAA PHI Use Exceptions Help Facilitate COVID-19 Response

March 19, 2020

By: Linda A. Malek, Jason E. Johnson, and Khaled Mowad

HHS Waiver of Certain Privacy Rule Sanctions and Penalties

As part of a flurry of regulatory activity meant to address the emerging COVID-19 crisis in the United States, the Secretary of Health and Human Services, Alex Azar, acting in accordance with President Donald Trump’s emergency declaration and Secretary Azar’s earlier declaration of a public health emergency on January 31, 2020, issued a waiver suspending sanctions and penalties against qualifying hospitals that do not comply with certain provisions of the HIPAA Privacy Rule.  HHS released a bulletin explaining the scope of the waiver.

The waiver is limited in scope and augments existing provisions under the Privacy Rule which loosen customary protected health information (“PHI”) disclosure and use restrictions in emergency situations.  Pursuant to the waiver, failure to abide by the following HIPAA Privacy Rule requirements will not subject a covered hospital to sanctions and penalties:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care before a use of disclosure of PHI is made in an emergency situation. 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. 45 CFR 164.522(b).

For covered hospitals that intend to rely on the waiver, there are some key limitations to the waiver, including one set forth in the Social Security Act but not stated in the bulletin, that need to be considered.  First, the waiver only applies to hospitals that have instituted a disaster protocol.   Second, the waiver is effective only for the lesser of 72 hours from when the hospital implements its disaster protocol or when the President or the Secretary declares the national disaster over1.  Hospitals should ensure they have taken any appropriate governance actions needed to activate their disaster protocol in accordance with existing policies since doing so triggers the waiver provisions and starts the 72-hour waiver period.  Unfortunately, all signs point to the COVID-19 crisis lasting many weeks if not months yet the waiver will avail a hospital for only a narrow window of time as neither the Social Security Act nor the Project Bioshield Act of 2004 appear to authorize the Secretary to renew the waiver in order to extend the effectiveness beyond 72 hours for any hospital.  If the nation’s health systems struggles under the weight of the crisis, a legislative solution may be necessary to address potential widespread noncompliance.

Finally, not mentioned in the HHS bulletin is that discrimination by a provider with respect to payment precludes applications of the waiver.  The relevant language from Section 1135(b) of the Social Security Act (42 U.S.C. 1320b), added by the Project Bioshield Act of 2004 (PL 108-276) reads as follows:  “A waiver or modification provided for under paragraph (3) or (7) shall only be in effect if such actions are taken in a manner that does not discriminate among individuals on the basis of their source of payment or of their ability to pay. . .” Since existing federal and state law generally proscribe such discrimination, hospitals need only abide by their existing policies in order to ensure patients receive necessary care.

Relevant HIPAA Exceptions for Emergency Situations

The waiver bulletin also summarized helpful information regarding the Privacy Rule’s exceptions to PHI uses and disclosures that are applicable in all situations, not just emergency situations, in which the requirement to obtain individual authorization is lifted.  These allowances may prove more useful to hospitals given their breadth and the absence of limitations with respect to the duration of a national emergency. Most relevant to the crisis at hand are the following uses and disclosures of PHI set forth in the Privacy Rule:

  1. Disclosure to a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example, a covered entity may disclose to the CDC or state departments of health PHI as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.
  2. Uses and disclosures for disaster relief purposes.2 A covered entity may disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts (e.g., the American Red Cross) for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.  
  3. Uses and disclosures to prevent or control the spread of the disease.3  A covered entity may use or disclose PHI for public health activities and disclose PHI to persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
  4. To prevent or lessen a serious and imminent threat to the health or safety.4  A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose PHI, if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
  5. Disclosure to law enforcement for identification and location purposes.5  A covered entity may disclose PHI to a law enforcement official in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the covered entity may disclose only the following information: (A) Name and address; (B) Date and place of birth; (C) Social security number; (D) ABO blood type and rh factor; (E) Type of injury; (F) Date and time of treatment; (G) Date and time of death, if applicable; and (H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.  This allowance may be particularly relevant in tracking down individuals that test positive for COVID-19, but for one reason or another fail to comply with quarantine orders or evade public health authorities.

It is important that covered entities and their providers recognize the various limitations of the HHS waiver and the Privacy Rule provisions.  The waiver provisions in particular are narrow as to time as well as scope.  For example, the waiver related to 45 CFR 164.510(b) permitting a provider to disclose PHI to family or friends involved in the individual's care without obtaining the individual’s agreement does not impact the requirement that the disclosure be directly relevant to the person’s involvement with the individual’s health care or payment related to the individual’s health care.

Similarly, for most disclosures under the Privacy Rule, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.  On this point, covered entities may rely on representations from a public health authority or other public official that requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC that requested by the CDC about all patients exposed to or suspected to have COVID-19 is the minimum necessary for the public health purpose. See 45 CFR §§ 164.502(b), 164.514(d).


1 The President declared a national emergency pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act (known as the “Stafford Act”) on March 13, 2020.  The Secretary declared a public health emergency on January 31, 2020

2 45 CFR 164.510(b)(iv)

3 45 CFR 164.512(B)(iv)

4 45 CFR 164.512(j)(1)(i)(A)

5 45 CFR 164.512(F)