Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

March 19, 2020

HHS Issues Guidance, Limited Waiver of HIPAA Sanctions and Penalties Amid COVID-19 Emergency

Following the declaration of a nationwide public health emergency due to the COVID-19 outbreak, the US Department of Health and Human Services (HHS) has issued waivers of HIPAA penalties and sanctions for good-faith use of telehealth services by health care providers and noncompliance with certain HIPAA Privacy Rule requirements for covered hospitals.

Notice of Enforcement Discretion for Telehealth Services

On March 17, the HHS announced it will waive potential penalties for good-faith use of telehealth during the COVID-19 nationwide public health emergency, even though certain technologies and the manner in which they are used may not comply with HIPAA. In its notice, the HHS stated it will “exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good-faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”

The HHS specifically listed applications that may be used, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype, but does not include Facebook Live, Twitch, TikTok, and similar public-facing video communication apps. However, the HHS indicated HIPAA-compliant technology vendors that will enter into business associate agreements (BAAs) with providers may be preferred, including Skype for Business, Updox, VSee, Zoom for Healthcare,, and Google G Suite Hangouts Meet, although the HHS did not explicitly endorse any specific products.

Pursuant to the notice, the HHS will not impose penalties against covered health care providers for failing to have BAAs with their video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good-faith provision of telehealth services during the COVID-19 nationwide public health emergency. 

Limited Waiver of HIPAA Sanctions and Penalties for Covered Hospitals

The HHS also issued a bulletin indicating it will exercise its authority to waive sanctions and penalties against a covered hospital that does not comply with the following HIPAA Privacy Rule requirements during the nationwide emergency:

  • The requirement to obtain a patient’s agreement to speak with family or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

This waiver only applies in the emergency area identified in the public health emergency declaration (which currently applies nationwide across the entire United States), to hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol.

Aside from the limited waivers issued, the HIPAA Privacy Rule has not been set aside during the nationwide public emergency. In its bulletin, the HHS provided guidance to providers describing when patient information may be shared in emergency situations such as the COVID-19 outbreak under HIPAA, including:

  • Treatment: For purposes of treatment, which includes coordinating or managing health care and related services by one or more health care providers and others, consultation between providers, and referring patients for treatment.
  • Public health activities: This allows providers to share information with public health authorities such as the CDC or state or local health departments for the purpose of preventing or controlling the disease; at the direction of a public health authority to a foreign government agency; and to people at risk of contracting or spreading a disease or condition if authorized by state law.
  • Family, friends, and others involved in care: This grants providers the ability to share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care of the patient’s location, general condition, or death, so long as certain conditions under 45 CFR 164.510(b) are met.
  • Disclosures to prevent or lessen a serious imminent threat: Consistent with their professional judgment and applicable state law, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat to the health and safety of a person or the public, including family, friends, caregivers, and law enforcement without a patient’s permission.

Providers are reminded they should only disclose the “minimum necessary” information to accomplish the purpose of disclosures.

If you have any questions regarding the content of this alert, please contact Bridget Steele, associate, at or another member of the Firm’s Health Care & Human Services Practice Area.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


US Supreme Court Shrinks Federal Authority Under the Clean Water Act


Supreme Court Strikes Down Taxing Authorities' Right to Retain Surplus Monies in "Strict Foreclosures"


Appellate Division, Third Department, Denies Appeal and Upholds Office of Renewable Energy Siting Regulations


NYS Public Service Commission Formally Initiates Proceeding to Establish What Constitutes "Zero Emission" Under the CLCPA


NYS Appellate Court Dismisses Common Law Claims Against Contractor for Injuries Sustained by "Special Employee"


Child Victim Act Complaint Dismissed for Failure to Sufficiently Allege Special Duty

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out