By: Amy Rhoades

In light of the ongoing COVID-19 pandemic, the U.S. Secretary of Health (“Secretary”) declared a limited waiver of certain privacy provisions of the Health Insurance Portability and Accountability Act Privacy Rule (“HIPPA Privacy Rule”) beginning on March 15, 2020.[1]  Issued by the U.S. Department of Health and Human Services (“HHS”) in 2002, the HIPPA Privacy Rule regulates access to protected health information (“PHI”) by implementing disclosure guidelines and specifying the circumstances under which PHI can be used.[2]  The rule stipulates how hospitals or medical providers can disclose “individually identifiable health information” such as name, address, and social security number, as well as demographic information.[3]  According to the statute, hospitals can only disclose a patient’s PHI without consent when disclosure is required by law or when disclosure is in the public’s interest.[4]  The public health activities exemption ensures that officials have access to otherwise protected information when it is deemed necessary to complete a public health mission.[5]  

Under a national public health emergency, the HIPPA Privacy Rule could potentially delay reporting to the public information that could shape policy or help people combating the disease.  HIPPA-covered providers are only permitted to release limited information to the media to help public safety, such as the patient’s general health condition or facility location.[6]  Without the waiver, hospitals can be penalized for disclosing a patient’s condition or location to the media without the patient’s consent.[7]  The additional waiver issued by the Secretary is designed to further facilitate the disclosure of protected medical information under certain circumstances, such as a pandemic.[8]  It’s important to note that the bulletin does not suspend HIPPA protections all together, but rather states hospitals will not be penalized for failing to comply with five specific provisions of the HIPPA Privacy Rule under these specific circumstances.[9]  During this time, the Secretary waives penalties and sanctions on hospitals that do not comply with the following HIPPA Privacy Rule provisions:

  1. obtaining a patient’s consent to speak with family members or friends regarding the patient’s care;[10]
  2. honoring a patient’s request to not be included in a facility directory;[11]
  3. following facility requirement to notify patients of privacy policies;[12]
  4. honoring a patient’s request for select privacy restrictions;[13] and
  5. honoring a patient’s request for confidential communications.[14]

The waiver applies for up to 72 hours, beginning from the time that a hospital implements its disaster protocol.[15]  The bulletin permits hospitals to notify health authorities when a patient is infected, and to share information with the Centers for Disease Control and Prevention to aid in controlling the outbreak.[16]  The release of PHI without consent not only aids the patient through coordinating care and patient referrals but also improves public safety.  However, the notice emphasizes that hospitals should “make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.”[17]  The waiver’s limitations will mitigate the risk of spreading the disease and lessen the impact on the public by allowing hospitals to expedite communication and important medical information to public health officials while still balancing patient privacy.  Healthcare providers are still required to comply with safety measures to provide security measures of patient information.[18]  Additionally, hospitals are not permitted to disclose protected information to media or individuals outside of the public officials.[19] 

[1] See Dep’t of Health & Hum. Serv., COVID-19 & HIPPA Bulletin Limited Waiver of HIPPA Sanctions and Penalties During a Nationwide public Health Emergency, Dep’t of Health & Hum. Serv. (2020), (invoking the Project Bioshield Act of 2004 and Social Security Act to waive provisions of the HIPPA Privacy Rule).

[2] See 45 C.F.R. § 164.512 (2019) (permitting covered entities to disclose or use PHI under a specific set of circumstances as required by law or for public health activities).

[3] See 45 C.F.R. § 160.103 (2019) (limiting PHI to individual identifiable health information not covered by Family Educational Rights and Privacy Act or employer held employment records).

[4] See 45 C.F.R. § 164.512(b)(i) (2019) (authorizing public health authorities to collect information “for the purpose of preventing or controlling disease, injury, or disability”).

[5] See id.; see also Heather F. Delgado & Laura D. Seng, Relaxing of HIPPA Laws During COVID-19 Pandemic, Nat. L. Rev. (Mar. 18, 2020), (explaining circumstances where public health activities apply).

[6] See HIPPA Journal, HIPPA Compliance and COVID-19 Coronavirus, HIPPA J. (Mar. 16, 2020), (describing the disclosure limits of HIPPA-covered providers during COVID-19 emergency declaration).

[7] See 45 C.F.R. § 164.312(a)(3)(ii) (2019) (describing the penalties the Secretary may impose for non-compliance of the HIPPA Privacy Rule, including imposing a civil money penalty).

[8] See HIPPA Journal, supra note 6.

[9] Id.

[10] See 45 C.F.R. § 164.510(b) (2019).

[11] See 45 C.F.R. § 164.410(a) (2019).

[12] See 45 C.F.R. § 164.520 (2019).

[13] See 45 C.F.R. § 164.522(a) (2019).

[14] See 45 C.F.R. § 164.522(b) (2019).

[15] See Dep’t of Health & Hum. Serv., supra note 1.

[16] Id.

[17] Id.

[18] See 45 C.F.R. § 164.306 (2019) (requiring HIPPA-covered entities to provide security to ensure that patient information is confidential and secure).

[19] See 45 C.F.R. § 160.103 (2019); see also Kim Stanger, HIPAA and Disclosure to Media, Holland & Hart Health L. Blog (May 25, 2017), (explaining the HIPPA Privacy Rule’s limitations on disclosure of PHI to media).

Share this post