For nearly 20 years, the Health Insurance Portability and Accountability Act (HIPAA) has carefully protected the privacy of individual’s health information, while still promoting appropriate data sharing and communications among health care providers. In previous posts we have talked about the importance of data in the response to the COVID-19 crisis – data must be made available when and where it is needed to support patient care and public health activities. While privacy remains a top concern in healthcare, this is an unprecedented time for our country and our health care system is being challenged in new ways. If entities subject to HIPAA are constrained in their ability to share critical data or they are worried about penalties for non-compliance, then the effectiveness of that data is diminished.

Although the HIPAA Privacy Rule is not suspended during the current public health and national emergencies, the HHS Office for Civil rights (OCR) is committed to “empowering medical providers to serve patients wherever they are during this national public health emergency.”[1] A critical part of the response is ensuring data is made available to support public health activities. The HIPAA Privacy Rule already allows certain information to be shared to assist in nationwide public health emergencies, as well as to assist patients in receiving the care they need. It also gives patient’s certain rights regarding how their information can be used and shared.

To ensure the flow of data is not impeded, the US Department of Health and Human Services has exercised its authority to waive sanctions and penalties for non-compliance with certain provisions of the HIPAA Privacy Rule by covered entities and their business associates. The enforcement discretion does not extend to any obligations under the HIPAA Security or Breach Notification Rules, but it does free providers from the added stress of navigating complex legal and operational requirements so they can focus on providing care to impacted individuals, communities, and slowing the spread of COVID-19. 

Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency

Enforcement Discretion for Business Associates

Enforcement Discretion for Community-Based Testing Sites

To learn more about HIPAA and COVID-19, including updated guidance for HIPAA covered entities and business associates, visit the OCR website.

In future posts, we will explore in greater detail how the government and technology sectors are working together to flatten the curve while still protecting individual rights to privacy. We will also share how the current crisis is helping to remove roadblocks related to telehealth and sharing sensitive information such as substance use disorder treatment records. Often in times of crisis, opportunities emerge to create long-lasting positive change. Hopefully this crisis is no different and the health care community can rally together to focus less on when and how data can’t be shared and instead focus on “getting to yes”.

[1] https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf]

+ posts