covid-19-hipaaWith consideration to our current healthcare crisis with COVID-19, the Department of Health and Human Services (HHS) updated its guidelines on HIPAA enforcement.

With the guideline revision, HHS has modified guidelines to the HIPAA Rule to help healthcare workers more effectively deliver care during the current COVID-19 emergency.

HIPAA Privacy Rule was primarily affected.

While many headlines have flooded healthcare news focusing on the fact that HIPAA guidelines have changed, many healthcare administrators, CEOs and even compliance officers have been left with questions as to what the changes actually mean.

One of the biggest questions I keep getting: does this mean we have to still keep up with cyber and data security standards?

To clear the air, I want to first emphasize that the revised guidelines are solely referring to the HIPAA Privacy Rule.

Now, I have a hard time getting the terms ‘privacy’ and ‘security’ straight sometimes.

When you think about PHI, two terms automatically come to my mind: Privacy and Security. Both are important for keeping classified information safe, but each has its own separate considerations.

Privacy refers to whom you can reveal information. For instance, to keep information private, you likely aren’t sharing it with your neighbor. Privacy policies make sure that only the people who have privilege to sensitive information are able to access it.

Security is what keeps privacy intact. Essentially, it is the bubble—policies, infrastructure, and processes— that keeps information safe. Locking the door to your patient file room is one security measure to ensure that private information doesn’t get exposed.

With the loosened guidelines on privacy, I want to emphasize that having the tools, policies and infrastructure in place to keep your data secure.

Beginning March 15th, some provisions of the privacy rule were waived. These encompass:

  • Obtaining patient agreement speak with family or friends involved in patient’s care.
  • Honoring patient opt outs from facility directory (what if they were infected or someone in the facility was, without these records no one would know chain of custody of the disease).
  • Having to distribute their privacy practices (since these are no up in the air with regards to several scenarios).
  • Your patient’s right to request privacy restrictions (also goes along with victims of covid and faster detection of who may be exposed).
  • And your patient’s right to request confidential communications.

The HHS waiver on the Privacy Rule is specifically geared toward helping healthcare workers during an emergency.

Here are some of the specific scenarios where these lightened rules are appropriate:

  • In an emergency area identified in the public health emergency declaration, aka if your area is deemed a public health emergency.
  • In hospitals that have instituted disaster protocols or within 72 hours from when a hospital implements disaster protocol (before the end of this period).

HHS was also very clear that reduced restrictions to privacy should only be used for specific reasons.

TREATMENT OF PATIENTS—No patient authorization, Covered Entities (CEs) may disclose PHI as necessary purpose of coordinating with other agencies or professionals to improve care or care of other patients.

PUBLIC HEALTH—CEs may disclose to agencies like local, state public health or CDC or if required by state laws.  Your facility may also be directed by the CDC or state or local health dept, CE may disclose information to a collaborating foreign government. You may be needed to share information if authorized by state or public health authority, CE may disclose patient to person at risk of contracting disease or a CEO may disclose patient to parties engaged in undertaking public health investigations/interventions.

DISCLOSE TO FAMILY OR OTHERS INVOLVED IN PATIENT CARE—disclosure to others may be necessary to locate or identify guardians or family or to other organizations (like the American Red Cross), that are authorized to act in relief efforts.

DISCLOSE TO PREVENT OR LESSEN SERIOUS OR IMMINENT THREAT—CEs may disclose PHI by their judgement if they determine it is a severe threat to health/ public safety.  WITH intent to mitigate  a serious and imminent threat to health or safety of others.

DISCLOSURES TO MEDIA—CEs may only disclose specific information about treatment of identifiable patient to media with written authorization of the patient if a patient has not objected to restriction or if the patient is incapacitated and disclosure is believed to be in the best interest of the patient or the patient’s prior-expressed will.

What I want to emphasize for all the changes in the privacy rule, HHS stresses you consider the minimum necessary rule.


All disclosures of PHI for the purpose of treating patient or others, you should make reasonable efforts to limit information disclosed. That means you might need to apply role-based policies limiting exposure of patient’s PHI.  And when requested by public health authority (local, state, CDC), only share the relevant information providing the minimum necessary to fulfill the purpose of the request—only provide info that will be useful toward the ultimate goal.