Skip to Content

COVID-19 and HIPAA – Waiver of Certain Sanctions and Penalties, and OCR Guidance Regarding Telehealth and Continued Applicability

Publications - Client Alert | March 19, 2020


On January 31, 2020, as a result of the numerous confirmed cases throughout the United States of the virus SARS-CoV-2, which can cause 2019 Novel Coronavirus Disease or COVID-19 (hereinafter, COVID-19), the Secretary of Health and Human Services (the “Secretary”) used his authority under Section 319 of the Public Health Service Act to declare a nationwide public health emergency, retroactive to January 27, 2020.1  Following this declaration, on March 13, 2020, President Trump, under Sections 201 and 301 of the National Emergencies Act, declared that the COVID-19 outbreak in the United States constitutes a national emergency, retroactive to March 1, 2020. 2

Following these dual declarations, the Secretary has exercised his authority under Section 1135 of the Social Security Act to issue waivers of certain federal program requirements, including sanctions and penalties arising from noncompliance with several provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy regulations.  In addition, the Office for Civil Rights (“OCR”), which is responsible for enforcing certain regulations issued under HIPAA, has released several recent notifications regarding the application of HIPAA during the current nationwide public health emergency.4


Section 1135 Waiver of HIPAA Sanctions and Penalties
The HIPAA Privacy Rule allows patients’ information to be shared to assist in nationwide public health emergencies, and to assist patients in receiving the care they need.  While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
The Secretary has exercised the authority to waive sanctions and penalties, effective March 15, 2020, against a covered hospital5 that does not comply with the following provisions of the HIPAA Privacy Rule:
  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.6
  • the requirement to honor a request to opt out of the facility directory.7
  • the requirement to distribute a notice of privacy practices.8
  • the patient’s right to request privacy restrictions.9
  • the patient’s right to request confidential communications.10
The waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. 
It is important to note that the waiver lasts for no more than 72 hours from the time the hospital implements its disaster protocol, and so are more limited in duration that the other Section 1135 Waivers.  If the full 72 hours have not elapsed since implementation of a hospital’s disaster protocol when the Presidential or Secretarial declaration terminates, a hospital must then fully comply with the requirements of the Privacy Rule for any patient still under its care.
OCR Guidance Regarding HIPAA Applicability During COVID-19 Outbreak
On March 17, 2020, OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency (the “Notification”).11 In response to parallel actions by the Centers for Medicare and Medicaid Services to expand access to telehealth services,12 OCR notes that covered health care providers are likely to seek to communicate with patients through a variety of communications technologies, some of which may not fully comply with HIPAA requirements.  
Accordingly, OCR is exercising its enforcement discretion and will waive penalties for HIPAA violations against health care providers that serve patients in good faith through any non-public facing communications technologies which may not otherwise fully comply with the requirements of the HIPAA (such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype) during the COVID-19 nationwide public health emergency.13 OCR will also not impose penalties against covered health care providers that lack a business associate agreement with video communication vendors.  Before engaging in telehealth visits using such applications, OCR encourages covered health care providers to notify patients of the potential privacy risks and to enable all available encryption and privacy modes. 
OCR notes, however, that public facing communications technologies (such as Facebook Live, Twitch, and TikTok) should not be used in the provision of telehealth services by covered health care providers, and do not fall within the scope of the enforcement discretion.
Importantly, OCR’s exercises of discretion apply to telehealth provided for any reason during the applicable national emergency, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. The goal is to both provide telehealth access to a greater number of patients while simultaneously reducing in-person consultations and the risk for person-to-person infection transmission.
OCR has also issued a Bulletin: Civil Rights and Coronavirus Disease 2019 (COVID-19) (the “Bulletin”) to remind entities covered by civil rights authorities know that civil rights laws and their implementing regulations, including anti-discrimination prohibitions, are not set aside during an emergency. In order to address the needs of at-risk populations, OCR has recommended that government officials, health care providers, and covered entities should consider adopting (as resources and circumstances permit) the following practices:
  • Employing qualified interpreter services to assist individuals with limited English proficiency and individuals who are deaf or hard of hearing;
  • Making emergency messaging available in languages prevalent in the affected area(s) and in multiple formats, such as audio, large print, and captioning and ensuring that websites providing emergency-related information are accessible;
  • Making use of multiple outlets and resources for messaging to reach individuals with disabilities, individuals with limited English proficiency, and members of diverse faith communities; 
  • Consider and planning the needs of individuals with mobility impairments and individuals with assistive devices or durable medical equipment in providing health care during emergencies;
  • Stocking facilities with items that will help people to maintain independence, such as hearing aid batteries, canes, and walkers.
Finally, other than the Section 1135 Waivers and other enforcement discretion discussed above, OCR emphasized that the Privacy and Security Rules of HIPAA remain in effect during an emergency.
* * * *
We anticipate that additional guidance in response to COVID-19 will be issued in the coming days and weeks, which may include additional waivers or modifications.  Covered health care providers who are or may be affected by the consequences of the COVID-19 pandemic should monitor additional developments and announcements from the OCR, the United States Department of Health and Human Services, the Centers for Medicare and Medicaid Services, and various other federal and state agencies.  If you have any questions about the limited waiver of HIPAA sanctions and penalties or other OCR guidance, please contact a member of our national Healthcare team.  


COVID-19 and HIPAA – Waiver of Certain Sanctions and Penalties, and OCR Guidance Regarding Telehealth and Continued Applicability


The Secretary’s declaration of a public health emergency can be found here.
The President’s declaration of a national emergency can be found here.
For more information on COVID-19 Section 1135 Waivers, see our Client Alert available here.
4 See COVID-19 & HIPAA Bulletin; Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (March 2020), which can be found here.
Non-hospital providers do not appear to be covered by the HIPAA waivers.
See 45 CFR § 164.510(b).
See 45 CFR § 164.510(a).
See 45 CFR § 164.520.
See 45 CFR § 164.522(a).
10 See 45 CFR § 164.522(b).
11 See Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency, HHS (March 17, 2020), which can be found here.
12 For more information on the expansion of telehealth benefits under the 1135 waiver authority, see our Client Alert available here.
13 See Medicare Telemedicine Health Care Provider Fact Sheet (March 17, 2020), which can be found here.