HHS issues limited HIPAA waiver during COVID-19 emergency

The Secretary of Health and Human Services issued a limited HIPAA waiver on 15 March 2020 under Section 1135(b)(7) of the Social Security Act, suspending certain regulatory requirements for hospitals operating under emergency conditions during the COVID-19 public health emergency. The waiver addressed immediate operational challenges while preserving core patient privacy protections. This action came as hospitals prepared for patient surges and needed flexibility to adapt operations quickly.

Waived Requirements

Patient rights waivers suspended requirements to obtain patient acknowledgment of Notice of Privacy Practices during emergency conditions. Hospitals could defer privacy notice distribution and acknowledgment collection to enable rapid patient intake during surge conditions. This simplifyd admission processes when emergency departments faced unprecedented volumes.

Request restrictions waivers suspended requirements to honor patient requests for confidential communications and restrictions on certain disclosures. This enabled hospitals to use alternative communication channels during emergencies without obtaining individual patient consent. Care coordination across facilities and with public health authorities was helped.

Minimum necessary waivers relaxed requirements to limit uses and disclosures to the minimum necessary for the purpose. During emergencies, healthcare providers could share broader patient information to coordinate care without conducting minimum necessary analyzes. This supported rapid transfers and consultations between facilities.

Scope and Limitations

Geographic scope limited the waiver to hospitals in areas where the HHS Secretary declared a public health emergency and the President declared an emergency or disaster under the Stafford Act or National Emergencies Act. Not all hospitals automatically qualified; facility-specific activation depended on declared emergency areas. Hospitals needed to verify their eligibility based on federal declarations.

Temporal scope restricted waiver applicability to 72 hours from when the hospital implements its disaster protocol, not 72 hours from the declaration date. After 72 hours, hospitals must return to full HIPAA compliance unless HHS extended the waiver period. This time-limited approach required hospitals to plan for compliance resumption.

Good faith requirement specified that hospitals must act in good faith when relying on waivers, meaning they cannot use emergency declarations to bypass privacy requirements unrelated to emergency response. Documentation of emergency protocols and waiver reliance is essential for demonstrating good faith compliance.

Preserved Requirements

Security safeguards remained in full effect throughout the emergency period. Hospitals must continue implementing administrative, physical, and technical safeguards to protect electronic PHI, including access controls, audit logging, and encryption. Security incidents during emergencies still required appropriate response.

Breach notification obligations continued without modification. Hospitals must still report breaches of unsecured PHI within required timeframes, even during emergency operations when breach investigation resources may be constrained. Planning for breach response during surge conditions was essential.

Business associate requirements remained applicable, requiring appropriate agreements with vendors and contractors accessing PHI. Hospitals cannot share PHI with unapproved entities solely due to emergency conditions. New vendor relationships for emergency needs still required appropriate agreements.

Telehealth Enforcement Discretion

Separately from the Section 1135 waiver, OCR announced enforcement discretion for telehealth services during the pandemic. This permitted healthcare providers to use non-HIPAA-compliant communication platforms like FaceTime, Skype, and Zoom for telehealth consultations in good faith, recognizing that fully compliant platforms might not be immediately available. The telehealth discretion dramatically expanded virtual care options.

The telehealth enforcement discretion was broader than the hospital waiver, applying to all covered healthcare providers rather than only hospitals in declared emergency areas. However, providers should prefer HIPAA-compliant platforms where available and document circumstances requiring use of non-compliant alternatives. This flexibility enabled rapid telehealth expansion during lockdowns.

Public-facing platforms like Facebook Live and TikTok remained inappropriate for telehealth regardless of enforcement discretion. Providers needed to distinguish between acceptable consumer platforms and inappropriate public broadcasting services when establishing telehealth capabilities.

Documentation Requirements

Hospitals relying on HIPAA waivers should document emergency protocol activation dates, specific waived requirements used, patient care circumstances requiring waiver reliance, and return to full compliance after 72-hour periods. This documentation supports good faith demonstrations if OCR then investigates emergency period activities.

If you are affected, maintain contemporaneous records of emergency declarations, disaster protocol setups, and compliance status changes throughout public health emergencies to enable retrospective compliance assessment. Records should capture decision-making processes and operational justifications.

Guidance for teams

Healthcare you should develop clear internal policies for invoking HIPAA waivers, including identification of authorized decision-makers, documentation requirements, and processes for returning to full compliance. Staff training on waiver scope and limitations prevents inappropriate reliance on emergency flexibility.

Compliance officers should monitor waiver use and ensure activities remain within waived requirements. Post-emergency review of waiver reliance helps identify process improvements and prepares documentation for potential regulatory inquiry.