HHS issues limited HIPAA waiver during COVID-19 emergency
HHS announced a limited HIPAA waiver for hospitals during the COVID-19 national emergency, temporarily suspending certain privacy rule sanctions when hospitals implement disaster protocols.
Executive briefing: The U.S. Department of Health and Human Services (HHS) released a Limited Waiver of HIPAA Sanctions and Penalties on . For hospitals that activate disaster protocols, HHS waived penalties for certain provisions—such as patient agreement to facility directories and the requirement to distribute privacy notices—for up to 72 hours after protocols start.
Operator action: Covered entities should document when disaster protocols are activated, track the 72-hour waiver window, and maintain other HIPAA safeguards (access controls, minimum necessary use, breach notification). Update training and incident logs to reflect the limited waiver scope and resume full compliance once the emergency window closes.
Sources: The HHS bulletin details which HIPAA requirements are waived, the conditions for applicability, and contact points for regional enforcement offices.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.