May 19, 2020 WPF Statement regarding HHS Secretary’s Section 1135 COVID-19 HIPAA Waiver

May 19, 2020

In this statement:

  • Brief summary of analysis and recommendations
  • What is a statutory HIPAA waiver, and when did HHS invoke the waiver in the past?
  • What are the five aspects of the HIPAA privacy rule covered by the statutory waiver?
  • Analysis and concerns about the statutory HIPAA waiver in the current COVID-19 crisis
  • Recommendations to HHS for adjusting the statutory HIPAA waiver

(PDF of  WPF Statement regarding HHS Secretary’s Section 1135 COVID-19 HIPAA Waiver)

Brief Summary of Analysis and Recommendations

There are two distinct types of HIPAA waivers in place during the COVID-19 national emergency: COVID-19-specific administrative waivers issued in March and April 2020, and a March 2020 waiver authorized by a 2004 statute. [1]

COVID-19-specific administrative waivers: The three administrative waivers are the Telehealth waiver, the Business Associate waiver, and the Community Based Testing Sites waiver.

Statutory waiver: Section 1135 of the Social Security Act gives the Secretary of HHS express authority to waive a variety of health regulatory requirements during a national emergency.[2]  That statute allows for waiver of some provisions of the HIPAA health privacy rule. When a HIPAA-related statutory waiver is in effect, HHS does not enforce selected provisions of the HIPAA privacy rule. In the past, hurricanes, floods, and other natural disasters created a need for the HIPAA waiver. The first time HHS used the statutory HIPAA waiver was for Hurricane Katrina in 2005. The statutory waiver is triggered by the Secretary and applies for a 72-hour period beginning upon implementation of a hospital disaster protocol.[3] The 72-hour period for the HIPAA statutory waivers is probably best understood in the context of a natural disaster, like a hurricane, where any need arises quickly and does not last for more than a few days. Not much is known about how hospitals actually used the waiver in the past during natural disasters or if they rely on it for the 72-hour period only. 

The COVID-19 public health emergency presents some differences from natural disasters. Instead of a HIPAA waiver that is geographically restricted to one or two affected states for a limited period, the COVID-19 crisis involves the entire United States, and the crisis is likely to extend for a year or more. Whether the 72-hour limit and the hospital disaster protocol requirement make sense for a nationwide emergency is an open question.

The 72-hour limit makes questions about the wisdom of the waiver less urgent. Even if problems arise when denying patients any of the rights affected by the waiver, the consequences are limited to a few days. WPF notes that patients with certain safety concerns may potentially still experience problems associated with the 72-hour waivers. 

Questions surround the statutory waiver as applied to the COVID-19 emergency. Is there really a need to waive enforcement for each of the five specific HIPAA provisions? Should the time limit for HIPAA waivers in national pandemic emergencies be changed? A longer waiver period would mean that many patients – not necessarily just those suspected of having COVID-19 – might lose rights available under HIPAA for an extended period. Another issue is whether the waiver should extend beyond hospitals with a disaster protocol to other hospitals and to other health care providers.

WPF recommends that HHS reexamine the statutory waiver provisions at an appropriate time when the current emergency wanes. HHS should consult with all stakeholders and propose statutory changes. 

Background on Statutory HIPAA Waiver as applied in the COVID-19 Crisis

During a national emergency, the Secretary of Health and Human Services can waive sanctions and penalties that might be imposed for noncompliance with these five requirements in the HIPAA privacy rule:

    1. The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
    1. The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
    1. The requirement to distribute a notice of privacy practices (45 CFR 164.520)
    1. The patient’s right to request privacy restrictions (45 CFR 164.522(a))
    1. The patient’s right to request confidential communications (45 CFR 164.522(b)) [4]

The Secretary first exercised the Section 1135 HIPAA waiver authority on September 4, 2005, in response to Hurricane Katrina.[5] In numerous subsequent hurricanes and other emergencies, the Secretary invoked the same waiver of HIPAA rules. 

During the COVID-19 crisis, the first step to declaring the statutory HIPAA waivers came on January 31, 2020, when the Secretary announced his determination that a public health emergency existed because of the “2019 Novel Coronavirus (2019-nCoV)” and that the emergency existed nationwide since January 27, 2020. Then on March 13, 2020, the Secretary used the authority under Section 1135 of the Social Security Act to apply the existing statutorily authorized waiver during the COVID-19 emergency.[6]  The March 13 waiver covered all five provisions that Section 1135(b)(7) identified. This action conformed to those taken the previous times when HHS invoked emergency HIPAA waivers. 

Specifically, paragraph (7) of the March 13, 2020 announcement provides for the following waiver from five specific HIPAA requirements:

(7) sanctions and penalties that arise from noncompliance with the following requirements (as promulgated under the authority of section 264(c) of the Health Insurance Portability and Accountability Act of 1996)–

(A) section 164.510 of title 45, Code of Federal Regulations, relating to –

(i) requirements to obtain a patient’s agreement to speak with family members or friends; and

(ii) the requirement to honor a request to opt out of the facility directory;

(B) section 164.520 of such title, relating to the requirement to distribute a notice; or

(C) section 164.522 of such title, relating to –

(i) the patient’s right to request privacy restrictions; and

(ii) the patient’s right to request confidential communications. [7]

This provision of law that authorized the HIPAA waiver during public health emergencies originated in Public Law 108-276, the Project Bioshield Act of 2004. The title of Section 9 of that Act is “Authority of the Secretary of Health and Human Services During National Emergencies.”[8] Nothing in the law’s limited legislative history discusses Section 9. 

Further Analysis of the Statutory HIPAA Waiver as Applied during the COVID-19 Crisis

The actual text of the March 13 HIPAA waiver is:

Pursuant to Section 1135(b)(7) of the Act, I hereby waive sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations:  (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (as set forth in 45 C.F.R. § 164.510); (b) the requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (as set forth in 45 C.F.R. § 164.522); but in each case, only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect.

The last clause is of special interest. It provides that the waiver applies in specific circumstances, namely:

…”only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect.” [emphasis added]

This is the same language used when the Secretary announced previous HIPAA waivers, typically in response to hurricanes, floods, fires, and natural disasters. For those emergencies, the limitation to hospitals within specific and narrow designated geographic areas made sense and acted to place reasonable bounds on the scope of the waiver. For many of the natural disasters, emergency conditions generally lasted for a limited time. Under the statute, the HIPAA waivers can stay in place for only 72-hours.

In light of the original intent and language, the use of the statutory public health emergency authority for HIPAA in response to COVID-19 presents several novel circumstances. 

  • First, the COVID-19 public health emergency is nationwide. 
  • Second, the emergency is likely to continue for a significant period of time and perhaps for several years. At this stage, it is not predictable when the emergency might end. Is a 72-hour time limit still appropriate or were the waivers unnecessary when invoked?
  • Third, since the emergency is nationwide, it is not clear what it means that the waivers are limited to “hospitals…that have hospital disaster protocols in operation.” Other health care providers may also provide COVID-19 services on an emergency basis.

There are several problems here that call for attention as we move from the immediate response stage to assessing the need for adjustments more appropriate to a long-term emergency. 

Should the HIPAA waiver be limited to hospitals that have disaster protocols in place? 

Is it appropriate for the waiver to cover only hospitals and not other facilities providing testing or treatment for COVID-19? This issue may require congressional review, but HHS should reevaluate the statute and eventually make a recommendation to Congress.

Not all patients at hospitals are COVID-19 patients.

As invoked, the statutory waiver is not limited to COVID-19 patients, although it is understandable that there may be no practical way to distinguish between patients based on diagnosis. This means that the statutory waiver, as currently written, applies to all patients, at qualifying hospitals, including patients not treated for COVID-19. [9Is that broad application appropriate for an emergency that is not a natural disaster?

Should any waiver of HIPAA rights continue indefinitely?

The broad purpose of the waiver is to lessen the administrative obligations of health care providers confronting overwhelming public health emergencies. However, the rights provided under the HIPAA privacy rule remain important. If a longer period for waivers is evaluated, one question is whether all waivers are appropriate for the long term. Another question is whether all of the current HIPAA waivers are truly necessary regardless of the nature of the emergency?

Recommendations 

WPF recommends that when the time is right, HHS should seek stakeholder comments on appropriate limitations for a continued waiver, including the timing for limiting or ending the waiver. This could be accomplished through a formal or informal comment process to ensure transparency and responsiveness. Ultimately, HHS should make recommendations to adjust the statute.

WPF recommends that patients who have safety considerations, such as victims of crime, including victims of domestic violence, need particular consideration at all times. Waivers of the requirement to honor a request to opt out of the facility directory, and the patient’s right to request confidential communications may be inappropriate. Patients with safety vulnerabilities can experience problems even within a 72-hour window. HHS should consider this issue carefully and seek specific stakeholder comments on appropriate mitigations for waivers for individuals with these concerns. 

________________________

Note: This discussion covers only the statutory HIPAA waiver cited. The Office of Civil Rights announced three additional circumstances in March and April, 2020 under which it would exercise its enforcement discretion for violations of HIPAA rules. These additional waivers, which in this document we call administrative waivers, cover telehealth, business associates, and community-based testing sites, raise other concerns that are not addressed here. WPF issued separate statements about the three administrative 2020 HIPAA waivers. [10]

Notes

[1] In this document, when we say “statutory” HIPAA waiver, we mean a waiver expressly authorized by statute. Three HIPAA waivers –Telehealth, Business Associate, and Community Based Testing Sites dating March 13, April 2, and April 9 respectively — are administrative waivers.  

[2] 42 U.S.C. § 1320b-5, https://www.law.cornell.edu/uscode/text/42/1320b-5. This section is also section 1135 of the Social Security Act.

The relevant part of this statute provides:

(b) Secretarial Authority To the extent necessary to accomplish the purpose specified in subsection (a), the Secretary is authorized, subject to the provisions of this section, to temporarily waive or modify the application of, with respect to health care items and services furnished by a health care provider (or classes of health care providers) in any emergency area (or portion of such an area) during any portion of an emergency period, the requirements of subchapters XVIII, XIX, or XXI, or any regulation thereunder (and the requirements of this subchapter other than this section, and regulations thereunder, insofar as they relate to such subchapters), pertaining to— 

(7) sanctions and penalties that arise from noncompliance with the following requirements (as promulgated under the authority of section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note)— [1] 

(A) section 164.510 of title 45, Code of Federal Regulations, relating to— 

(i) requirements to obtain a patient’s agreement to speak with family members or friends; and

(ii) the requirement to honor a request to opt out of the facility directory;

(B) section 164.520 of such title, relating to the requirement to distribute a notice; or

(C) section 164.522 of such title, relating to— 

(i) the patient’s right to request privacy restrictions; and

(ii) the patient’s right to request confidential communications.

Congress amended this section of law several times during the COVID-19 emergency. Section 102 of Public Law 116-123 gave the Secretary of HHS authority to temporarily waive or modify application of certain Medicare requirements with respect to telehealth services furnished during certain emergency periods. https://www.govinfo.gov/link/plaw/116/public/123. Section 6010 of Public Law 116-127 clarified the Secretary’s authority regarding Medicare telehealth services furnished during the COVID–19 emergency period. https://www.govinfo.gov/link/plaw/116/public/127. Neither amendment expanded the Secretary’s waiver authority with respect to HIPAA.

[3] The provision establishing the time limit and requiring a hospital disaster protocol is in Section 1135, but it appears in a paragraph that has no section number but appears following subsection (b)(8). The text provides:

Insofar as the Secretary exercises authority under paragraph (6) with respect to individuals enrolled in a Medicare+Choice plan, to the extent possible given the circumstances, the Secretary shall reconcile payments made on behalf of such enrollees to ensure that the enrollees do not pay more than would be required had they received services from providers within the network of the plan and may reconcile payments to the organization offering the plan to ensure that such organization pays for services for which payment is included in the capitation payment it receives under part C of subchapter XVIII. A waiver or modification provided for under paragraph (3) or (7) shall only be in effect if such actions are taken in a manner that does not discriminate among individuals on the basis of their source of payment or of their ability to pay, and, except in the case of a waiver or modification to which the fifth sentence of this subsection applies, shall be limited to a 72-hour period beginning upon implementation of a hospital disaster protocol. A waiver or modification under such paragraph (7) shall be withdrawn after such period and the provider shall comply with the requirements under such paragraph for any patient still under the care of the provider. If a public health emergency described in subsection (g)(1)(B) involves a pandemic infectious disease (such as pandemic influenza), the duration of a waiver or modification under paragraph (3) shall be determined in accordance with subsection (e) as such subsection applies to public health emergencies.

[4] See HHS FAQ 1068, Is the HIPAA Privacy Rule suspended during a national or public health emergency?, https://www.hhs.gov/hipaa/for-professionals/faq/1068/is-hipaa-suspended-during-a-national-or-public-health-emergency/index.html. 

[5] See Congressional Research Service, Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees (Jan. 23, 2007), https://www.everycrsreport.com/reports/RS22310.html. A list of other waivers under Section 1135 is at https://www.phe.gov/emergency/news/healthactions/section1135/Pages/default.aspx. 

[6] Secretary of Health and Human Services, Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (March 13, 2020), https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx. The announcement appears to contain an error. The provision announcing the time limit of the HIPAA waiver in paragraph 6 of the Secretary’s statement refers to “the waivers described in paragraph 2 above.” But there is no paragraph numbered 2. The proper reference as the document appears should be to the paragraph numbered 6. It appears that the error is in the paragraph numbering, and a review of other waiver announcements confirms this. 

[7] 42 U.S.C. § 1320b-5, https://www.law.cornell.edu/uscode/text/42/1320b-5. Congress amended this section of law several times during the COVID-19 emergency. Section 102 of Public Law 116-123 gave the Secretary of HHS authority to temporarily waive or modify application of certain Medicare requirements with respect to telehealth services furnished during certain emergency periods. https://www.govinfo.gov/link/plaw/116/public/123. Section 6010 of Public Law 116-127 clarified the Secretary’s authority regarding Medicare telehealth services furnished during the COVID–19 emergency period. https://www.govinfo.gov/link/plaw/116/public/127. Neither amendment expanded the Secretary’s waiver authority with respect to HIPAA.

[8] https://www.congress.gov/108/plaws/publ276/PLAW-108publ276.pdf.

[9] We recognize that nothing requires hospitals covered by a waiver to deny patients the rights waived. Our concern is that many hospitals will take the path of least resistance and use the waivers too liberally.

[10] See WPF Statement on HIPAA Telehealth Waiver, World Privacy Forum, March 18, 2020,  https://www.worldprivacyforum.org/2020/03/wpf-statement-on-covid-19-and-changes-in-hipaa-practices/; WPF Statement on HIPAA Business Associate Waiver, World Privacy Forum, April 6, 2020,  https://www.worldprivacyforum.org/2020/04/april-2-2020-wpf-statement-on-covid-19-and-changes-in-hipaa-practices/; WPF Statement on Community Based Testing Sites HIPAA Waiver, World Privacy Forum, April 15, 2020, https  ://www.worldprivacyforum.org/2020/04/april-15-2020-wpf-statement-on-the-covid-19-community-based-testing-sites-hipaa-waiver-of-april-9-2020-2/.

World Privacy Forum
www.worldprivacyforum.org
Publication date: May 19, 2020