The Office of Civil Rights, U.S. Department of Health and Human Services, issued an update to its February bulletin, which outlined how the HIPAA privacy rules apply in a state of emergency.

The March bulletin largely reiterates the February bulletin and also sets forth a limited waiver of sanctions and penalties against covered hospitals that do not comply with certain HIPAA privacy rule provisions.  Effective March 15, 2020, failure by a covered hospital to comply with the following provisions will not result in a penalty or sanction:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

This waiver is limited in scope and duration. It covers only (1) emergency areas identified in Department Secretary Azar’s January 31, 2020, public health emergency declaration, and (2) hospitals that have instituted a disaster protocol. Further, the waiver extends only up to 72 hours from the time a hospital implements its disaster protocol. 

In other words, hospitals are not covered

  • at any time if they have not instituted a disaster protocol,
  • at any time for compliance failures outside of an emergency area, and
  • 72 hours after implementing a disaster protocol in all area.