COVID-19 and Patient Privacy Update

March 15, 2020 HHS Issues Limited HIPAA Waiver

During nationwide public health emergencies such as this Novel Coronavirus Disease (COVID-19) pandemic, the HIPAA Privacy Rule allows for patient information to be shared to help patients obtain necessary care and to assist with curbing the spread of this viral, infectious disease. 

As of March 15, 2020, the U.S. Department of Health and Human Services (HHS) Secretary Alex Azar is waiving any penalties for covered hospitals that do not comply with the following Code of Federal Regulations (CFR) provisions to the HIPAA Privacy Rule: 

  • Requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. 
  • Requirement to honor a request to opt out of the facility directory.
  • Requirement to distribute a notice of privacy practices.
  • Patient’s right to request privacy restrictions.
  • Patient’s right to request confidential communications. 

This waiver is only in effect: 1) in the public health emergency declaration area; 2) when hospitals have implemented a disaster protocol; 3) and for up to 72 hours after the disaster protocol was implemented. When this waiver is terminated by the President or HHS Secretary, hospitals must return to full HIPAA Privacy Rule compliance immediately. 

Since the HIPAA Privacy Rule applies to covered entities (CEs) and their business associates, even in emergency situations, they must continue to protect patient information against impermissible uses and disclosures and to limit information disclosed to the minimum necessary per given purpose. 

There remain permitted uses and disclosures for:

  • Treatment: CEs may disclose protected health information (PHI) to treat the patient without patient authorization and is inclusive of care coordination and referrals.
  • Public Health Authorities: The Centers for Disease Control and Prevention (CDC) and state or local health departments are authorized to collect information to help prevent or control disease, injury, or disability; to collaborate with foreign government agencies; and to notify persons at risk to carry out public health interventions. CEs can rely on the CDC to request for minimum necessary PHI for public health purposes.
  • Family, Friends, and Others Involved in an Individual’s Care: CEs may share PHI with these persons involved with an individual’s care for both notification and care purposes and CEs should apply professional judgment when acquiring patient consent in certain situations.
  • Prevention of Imminent Threats: CEs may share PHI in order to prevent or mitigate a serious and imminent threat to the health and safety of a patient or the public.
  • Media: Patients must give written authorization to the media to release information. CEs may release limited information about a patient’s condition if they have consent or under other limited circumstances. 

Read the full HHS March 2020 bulletin here:

The CDC’s Coronavirus page:

The HHS’s Emergency Response page: