Client Alert

HHS Eases Applicability and Enforcement of Certain HIPAA Rules During COVID-19 National Emergency

27 Mar 2020

Compliance with the HIPAA Privacy, Security and Breach Notification Rules remains an obligation during the COVID-19 national emergency, but, in the interest of encouraging treatment and efficient response to this pandemic, the U.S. Department of Health and Human Services (HHS) has made two recent announcements related to the enforcement of HIPAA:

Notification of Enforcement Discretion for Telehealth Remote Communications

On March 17, 2020, the HHS Office for Civil Rights (OCR) announced a that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against covered health care providers that serve patients through remote communication technologies during the COVID-19 national public health emergency (the “Notification of Enforcement Discretion”).  The purpose of the Notification of Enforcement Discretion is to empower health care providers to provide services to patients wherever they are during this public health emergency, and, in particular, to ensure that they can reach those most at risk, including older persons and those with disabilities.  The exercise of enforcement discretion will apply regardless of whether the telehealth service is directly related to COVID-19. 

In the Notification of Enforcement Discretion, OCR explains that health care providers can use any non-public facing remote audio or video communication product that is available to communicate with patients.  OCR notes that this applies to widely available remote communication technologies when used in good faith for any telehealth treatment or diagnostic purpose, but public-facing communication applications should not be used for the provision of telehealth services.  The Notification of Enforcement Discretion lists specific examples of non-public facing and public-facing technologies.  

OCR lists vendors that represent they are compliant with HIPAA and able to enter into business associate agreements (BAAs), however, OCR makes it clear that it is not endorsing the use of any of these services.  In the Notification of Enforcement Discretion, OCR confirms that it will not impose penalties against health care providers for the lack of a BAA with a communication technology provider.  OCR encourages health care providers to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR issued further guidance explaining how covered health care providers can use remote video communication products and offer telehealth services to patients responsibly.  A summary of this guidance can be found here.

The Notification of Enforcement Discretion for Telehealth Remote Communications can be found here.

Limited Waiver of HIPAA Sanctions and Penalties Against Hospitals

HHS announced that, in response to President Trump’s declaration of a national emergency concerning COVID-19, and HHS Secretary Alex M. Azar’s declaration of a public health emergency, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR § 164.510(b);
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR § 164.510(a);
  • The requirement to distribute a notice of privacy practices. See 45 CFR § 164.520;
  • The patient's right to request privacy restrictions. See 45 CFR § 164.522(a); and
  • The patient's right to request confidential communications. See 45 CFR § 164.522(b).

The waiver is effective as of March 15, 2020, retroactive to March 1, 2020. The waiver only applies to hospitals that have instituted a disaster protocol and for up to 72 hours from the time the hospital implements its disaster protocol.  When the Presidential or Secretarial declaration terminates, hospitals must then comply immediately with all of the requirements of the Privacy Rule for any patient still under their care.

The announcement can be found online.

OCR previously issued a bulletin outlining how entities subject to HIPAA may share patient information under the HIPAA Privacy Rule and other obligations during an outbreak of infectious disease or other emergency situation COVID-19.  For more information see our blog posting.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.