In light of the COVID-19 pandemic, the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) have issued a Limited Waiver of HIPAA Sanctions and Penalties. While HIPAA regulations and protected health information (PHI) protections are still in place, it’s important that healthcare facilities understand what protocols the limited waiver has and hasn’t modified. Making the right adjustments will help keep your organization in compliance with HIPAA IT security best practices and government regulations.
What Does The HIPAA Limited Waiver Change?
While the HIPAA Privacy Rule isn’t suspended during public health emergencies, it does allow for organizations to share patient information more readily. So, the limited waiver eliminates certain penalties that pertain to this flow of information. According to HHS’s release, hospitals will not be penalized for failing to comply with these HIPAA requirements:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The requirement to request privacy restrictions
- The requirement to request confidential communications
The limited waiver went into effect on March 15, 2020. Keep in mind that this limited waiver only applies:
- In the emergency areas identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol.
After the 72 hours mentioned above, or when the President or Secretary of HHS terminates the emergency declaration, the normal HIPAA sanctions and penalties go back into effect. So, organizations must go back to complying with the full HIPAA Privacy Rule at that point.
Which HIPAA Regulations Stay The Same?
Even in cases of public health emergencies, hospitals must continue to prioritize HIPAA risk analysis for cybersecurity. Foregoing HIPAA security protocols could put protected health information (PHI) at risk. So, there are many aspects to HIPAA requirements that have not changed under the limited waiver.
Healthcare organizations should keep in mind that HIPAA rules allow them to share some patient information under normal circumstances. This includes the sharing of information for treatment purposes, for public health activities (both federal and local), and for preventing or lessening serious and imminent threats to the patient or community.
However, hospitals are still required to only disclose the minimum necessary PHI for everything other than treatment purposes. This protects both patient confidentiality and your own network security. To achieve this minimum necessary disclosure, hospitals should still use a role-based system that determines who has access to PHI. Only employees who need PHI access to complete their duties should have it.
It’s also important to note that hospitals and other healthcare organizations still need to comply with the following restrictions:
- Hospitals cannot share PHI with the media (without patient consent)
- Hospitals cannot disclose PHI to anyone not involved in the patient’s care (without patient consent)
- Other impermissible uses and disclosures (including sale of PHI, research, marketing, or other HIPAA rule restrictions)
To ensure that your entire organization understands the limited waiver but still complies with HIPAA requirements, be sure to communicate this information to your employees. Doing so will help ensure that patient information stays protected and that your organization safeguards all HIPAA vulnerabilities. The right actions can prevent a healthcare cybersecurity emergency during this public health emergency.
If you have any questions about the HIPAA limited waiver, or are interested in checking your organization’s compliance, the team at Fortified Health Security is here to help. We are dedicated to maintaining your cybersecurity during this challenging time. Contact us today to get started.