FAQs - Federal

In accordance with President Trump’s recent critical infrastructure mandate, and in collaboration with other federal agencies and the private sector, the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) developed an initial list of “Essential Critical Infrastructure Workers.” Employees of the Transportation & Logistics sector are currently deemed to be “Critical infrastructure Workers” 

You can view additional information about the Guidance Here.

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), a $2.2 trillion stimulus package intended to spread relief across the American economy during the COVID-19 public health emergency. Title II of the CARES Act provides monetary relief for workers affected by COVID-19 by both increasing unemployment benefits and expanding eligibility.

In an effort to fill the gap between the average paycheck and state unemployment benefits, the CARES Act will provide eligible employees an extra $600 per week in unemployment benefits in addition to what they are eligible for under existing state programs. This boosted payment will last for approximately four months until its current expiration date of July 31, 2020.

The CARES Act also provides for an additional 13 weeks of continued $600 weekly payments for individuals who remain unemployed after exhausting their state unemployment benefits. This means eligible workers will be able to receive unemployment benefits for up to 39 weeks rather than the 26-week cap under most state programs.

Workers should be aware of the possible implications of receiving the additional $600 benefit. For example, the expanded benefit will count as income when determining eligibility for certain means-tested programs, including Supplemental Nutrition Assistance Program but not for Medicaid or the Children’s Health Insurance Program.

For more information click here.

For a printable summary

YES. With some very minimal exceptions. Below are the exceptions, but we highly recommend you maintain confidentiality unless given explicit permission by the patient/member and/or legal or health authorities. 

In light of the ongoing COVID-19 pandemic and the need for an informed and coordinated public health response, U.S. Secretary of Health and Human Services (HHS) Alex Azar declared a limited waiver of the following provisions of the HIPAA Privacy Rule:

Public Health Activities

Public health authorities and others responsible for ensuring public health and safety may access protected health information that is necessary to carry out their public health mission, and as such, individual authorization by patients is not required in a number of circumstances:


  • Covered entities may disclose patient’s health information to public health authorities such as the CDC or a state or local health department authorized by law to collect or receive such information.
  • If a public health authority such as the CDC or a state or local health department directs the covered entity to do so, a covered entity may disclose protected health information to a foreign government agency that is collaborating with the domestic public health authority to address a matter of public health.
  • If authorized by state law or a public health authority, a covered entity may disclose protected health information of a patient to persons at risk of contracting or carrying a communicable disease as necessary to prevent the further spread of the disease.
  • If authorized by state law or a public health authority, a covered entity may disclose protected health information as necessary to other parties engaged in undertaking public health interventions or investigations.


Disclosures to the Media and Others

Covered entities, according to the rules, should not disclose specific information about the treatment (including, but not limited to, a patient’s test results and specific details of an individual’s condition or illness) of an identifiable patient to the media or other individuals not involved in the patient’s care without the written, HIPAA-compliant  authorization of the patient or the patient’s representative, except in such specific circumstances:

  • If a patient has not objected to or otherwise restricted the release of their own protected health information and the media or another individual or individuals request information about that particular patient by name, a covered entity may at their discretion acknowledge that the patient is receiving care in the facility, release limited facility directory information, and may provide information about the patient’s condition in broad and general terms such as “critical,” “stable,” “deceased,” or “treated and released.”
  • If a patient is incapacitated, covered entities may also disclose information to the media and to other individuals not involved in the patient’s care only if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

“Minimum Necessary Rule”

Excluding disclosures to healthcare providers for the purposes of treatment of the patient or others, all disclosures of protected health information that are not authorized by the patient are subject to HIPAA’s “minimum necessary” rule – which applies equally to disclosures made under the public health emergency waiver.

Under the “minimum necessary” rule, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose of the disclosure.

Internally, covered entities should apply role-based policies limiting the access to patient’s protected health information only to members of the workforce who need the information to perform their duties or whose health and safety may be jeopardized by failure to disclose such information.

When a patient’s protected health information is requested by a public health authority, covered entities may rely on representations from that authority or another relevant public official that the requested information is the minimum necessary to fulfill the purpose of the request.

Finally, in the COVID-19 & HIPAA Bulletin, the Secretary specifies that a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose.

Source URL: https://www.natlawreview.com/article/relaxing-hipaa-laws-duringcovid-19-pandemic