Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Hospitals Tackling Virus May Need More Than Brief Privacy Waiver (2)

March 19, 2020, 4:53 PMUpdated: March 20, 2020, 12:05 AM

A short reprieve from worrying about passing out patient privacy waivers or gaining a patient’s consent before talking to relatives will help hospitals brace for a coronavirus deluge, but more flexibility might be needed.

A 72 hour waiver from some Health Insurance Portability and Accountability Act requirements means hospitals that declare a disaster won’t be penalized for certain infractions of the patient privacy law once those emergency procedures are in effect. However, not all health-care providers will enjoy that exemption and it may not be a long enough window to deal with the pandemic.

“The patient surges may come and go and last longer than 72 hours, so I think everyone is concerned this is helpful but maybe not enough,” said Allen Killworth, a partner at the Ohio-based law firm Bricker & Eckler LLP, who represents hospitals and health systems.

Declaring a national emergency gives the president the authority under Section 1135 of the Social Security Act to take certain actions, including waiving or modifying certain HIPAA requirements. But the waivers are only effective for 72 hours from the time a hospital implements its disaster protocol, according to the HHS Office of the Assistant Secretary of Preparedness and Response. A blanket waiver may do more good, Killworth said.

Hospitals won’t have to share privacy notices, which could be a good thing, according to Robert Belfort, a partner with Manatt Health, the legal and consulting health-care group of Manatt Phelps & Phillips LLP.

“I suppose not having to distribute privacy notices—which can be an administrative annoyance—is good because hospitals won’t have to deal with that burden when they’re already trying to figure out how to handle certain situations during critical conditions,” Belfort said.

“Any flexibility at this point is helpful,” he added.

Instead of extending the waiver, HHS might do what it did with telehealth programs and relax enforcement of the privacy requirements during the public health emergency, said Chris Raphaely, chair of Health Law at Cozen O’Connor in Philadelphia.

“I don’t know if they’re going to do anything, but I guess they could,” he said. “It’s uncharted territory.”

Protecting Patients and Privacy

The pandemic has forced hospitals to get creative and start screening some patients in tents in parking lots. But those temporary facilities may not be covered under the patient privacy waiver, complicating treatment, Killworth said.

“These alternative sites are up and, obviously, they don’t have the same resources, the same level of paperwork capabilities as you would in the main hospital,” he said.

While there may be some flexibility, Killworth said the HHS Office for Civil Rights hasn’t said whether those sites will be exempt from having to fully comply with all the HIPAA requirements.

States Need to Take Steps

The temporary federal waiver also doesn’t overrule state privacy laws—some of which are more restrictive than national standards. Many states have laws that closely mirror HIPAA.

“There’s a question as to whether state regulators will take similar action to HHS in those states,” Jason Engelhart, a partner at Stinson LLP, said. “There are a number of states, however, that have already declared emergencies.”

Hospitals should check with their state authorities, Killworth said.

“All of the federal waivers really will only apply to the federal requirements and these waivers specifically point out that there might be state or local laws that are not impacted or not alleviated because of the federal waivers,” he said.

Turning to Telehealth

The Trump administration has encouraged more hospitals and doctors to expand their telehealth offerings as SARS-CoV-2 moves rapidly through communities, infecting hundreds of new patients in the U.S. each day. That keeps patients out of crowded waiting rooms, minimizing the virus’ spread.

The HHS’ Substance Abuse and Mental Health Services Administration waived privacy provisions on Thursday to let doctors disclose medical records of patients who suffer from a substance use disorder without their permission during a medical emergency.

The HHS’ Office for Civil Rights said Tuesday that it won’t enforce penalties under federal health privacy policies if covered entities use popular video chat apps, like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth services.

It will allow the use of technology that’s not necessarily fully compliant with HIPAA to be able to perform and engage in telehealth services that are needed at this point, Killworth said.

However, Facebook Live, Twitch, TikTok, and other similar video communication apps shouldn’t be used for telehealth by covered health-care providers, the OCR said.

Providers hope HHS will allow them to start using personal computers that are not fully secured like a hospital system would be, Killworth added.

“Obviously, with a lot of working at home, that would be helpful as well to have some additional guidance in that area,” he said.

(Clarifies comments of Robert Belfort, beginning in the fifth paragraph.)

To contact the reporters on this story: Lydia Wheeler in Washington at; Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Andrew Childers at