Is HIPAA too strict during COVID-19 pandemic?

By Mackenzie Garrity, Becker’s Hospital Review
April 8, 2020

In response to the coronavirus pandemic, HHS relaxed penalties for potential violations of HIPAA rules.

However, the Iowa Freedom of Information Council argues HIPAA is being used too broadly as a reason to not release data on the spread of COVID-19. Journalists in Iowa have been denied requests for data on the number of COVID-19 tests performed or hospitalization rates, according to local ABC affiliate KCRG.

Health officials cite HIPAA as the reason they cannot disclose this data.

“The public is scared. They are concerned about local hospitals filling up, whether there will be space available if a friend or relative comes down with the disease, whether there will be enough ventilators available in a specific location,” said Randy Evans, executive director of the Iowa Freedom of Information Council, to KCRG. “These concerns are aggravated by a lack of information and at a time like this, I think the government ought to be coming forward with more information, not less.”

Under the relaxed HIPAA regulations, hospitals don’t need to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. Additionally, hospitals do not need to comply with the requirement to honor a request to opt out of the facility directory.

Other provisions that have been waived include the requirement to distribute a notice of privacy practices, a patient’s right to request privacy restrictions and a patient’s right to request confidential communications.

Hospitals and other HIPAA-covered entities should only share COVID-19 information for public health and health oversight activities, according to HHS. Examples of good faith use include disclosures to the CDC and CMS for assistance in COVID-19 responses.

The HIPAA waiver applies in emergency areas. Hospitals must institute a disaster protocol to be included in the HIPAA waiver.