Privacy and Cybersecurity Update

HHS Announces Limited HIPAA Waiver for Certain Hospitals and Enforcement Discretion for Telehealth Providers

March 19, 2020

This week the U.S. Department of Health and Human Services (HHS) took action to waive penalties and refrain from enforcing certain federal health information privacy restrictions under the Health Insurance Portability and Accountability Act (HIPAA) in response to COVID-19.

First, effective March 15, 2020, HHS Secretary Alex Azar exercised his statutory authority to issue a waiver of penalties and sanctions that would otherwise apply to certain hospitals for violations of specified provisions of the HIPAA Privacy Rule. These provisions include requirements to honor patients’ requests for privacy restrictions and certain confidential communications and the requirement to obtain consent before speaking with family members or friends involved in the patient’s care. The waiver applies only to hospitals that have instituted a disaster protocol and only for up to 72 hours from the time the hospital implements its disaster protocol. The waiver does not affect state laws that may restrict disclosures of health information and is not effective with respect to action that discriminates “among individuals on the basis of their source of payment or their ability to pay.” The agency’s announcement clarifies that though the HIPAA Privacy Rule is not suspended during emergencies, there are a variety of regulatory provisions in HIPAA that permit disclosures of health information in particular circumstances relevant to public health emergencies.

Second, on March 17, the HHS Office for Civil Rights announced that it would exercise its enforcement discretion and not impose penalties for noncompliance with HIPAA against healthcare providers in connection with the good-faith provision of telehealth services. The announcement specified, however, that certain public-facing platforms should not be used for these services.

President Donald Trump mentioned the administration’s action on HIPAA in his March 17, 2020, press conference.

To learn more about privacy and other legal issues related to COVID-19 response, visit Sidley’s COVID-19 Resource Center.

Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.

Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.