Coronavirus Regulatory and Legal-HIPAA

Coronavirus Regulatory and Legal-HIPAA

Home / Coronavirus Regulatory and Legal-HIPAA

March 22, 2020

Click here to download a PDF version of this page

Legal Helpline is available at (720) 858-6030—Monday–Friday 8am to 5pm
We are receiving a high call volume and want to assure you that if you leave a message, we will respond in a timely manner. If you have been working with a specific staff member you should continue to contact them on their direct line or via email.

OCR will waive potential HIPAA penalties for good faith use of telehealth during the epidemic. HIPAA-covered health care providers may communicate with patients with any non-public facing remote communication product available to communicate with patients. The waiver only applies until the emergency declaration terminates. 

When considering providing telehealth services out-of-state in response to testing, treatment, and care of patients with COVID-19, providers should access state medical board sites for the latest information regarding guidance for health care professionals not currently licensed in the state.

For more information, please see: 

Waiver of Certain HIPAA Requirements – Covered Hospitals
The Secretary of the Department of Health and Human Services (“Secretary”) has waived sanctions and penalties, beginning March 15, 2020, against a covered hospital that does not comply with the following requirements of the HIPAA Privacy Rule: 
• The requirement to obtain a patient’s agreement to speak with family members or friends;
• The requirement to honor a request to opt out of the facility directory;
• The requirements to distribute a notice of privacy practices;
• The patient’s right to request privacy restrictions; and, 
• The patient’s right to request confidential communications. 

This waiver only applies to the above provisions, and only in an emergency area identified in the public health emergency declaration (nationwide) to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements said disaster protocol. Once the emergency declaration terminates, the hospital must comply with the Privacy Rules for any patient under its care, even if 72 hours have not elapsed since the implementation of the disaster protocol. The remainder of the HIPAA Privacy Rule remains intact.

The Bulletin also contains an informative discussion of how HIPAA applies in emergencies, including a description of when the sharing of patient information is permitted for treatment, public health activities, and to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, without patient authorization.

A link to the Secretary’s Declaration can be found below, which includes a link to the Privacy Rule.