For the first 72 hours after a hospital institutes its disaster protocol for the COVID-19 emergency, HIPAA sanctions and penalties will be waived for:

• Failure to obtain a patient’s agreement to speak with family/friends involved in the patient’s care
• Failure to honor a request to opt out of the facility directory
• Failure to distribute a Notice of Privacy Practices
• Failure to permit patients to request privacy restrictions or to comply with requested restrictions
• Failure to permit patients to request confidential communications  or to comply with requested restrictions

For the duration of the COVID-19 emergency and until OCR issues a notice that it is no longer exercising enforcement discretion, HIPAA sanctions and penalties will be waived for:

• The good faith provision of telehealth for any patient condition using non-public facing video chat applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype.[i]
  • OCR encourages providers to (1) notify patients that these third-party applications potentially introduce privacy risks, and (2) enable all available encryption and privacy modes when using such applications.
  • Public facing remote communication products such as Facebook Live, Twitch, and TikTok, or chat rooms like Slack, should not be used in the provision of telehealth by covered healthcare providers.
  • Examples of “bad faith” provision of telehealth services where HIPAA violations would not be waived include:
    • Conduct/furtherance of a criminal act, e.g. fraud, identity theft, or intentional invasion of privacy
    • Impermissible uses/disclosures of PHI obtained through telehealth visit (e.g., sale of PHI, marketing without authorization)
    • Violation of state licensing laws/professional ethical standards in provision of telehealth services 
       
• The failure to have a BAA in place with vendors of such applications.
   
• A business associate’s[ii] use and disclosure of PHI to public health and emergency oversight authorities, or its performance of data analytics using PHI for disclosure to such officials, where its business associate agreements with covered entities do not specifically permit such uses and disclosures, if the business associate: 
  • Makes the use or disclosure in good faith for purposes of public health or health oversight activities as described in the Privacy Rule; and
  • Informs the covered entity or covered entities within 10 days after the use or disclosure occurs or commences.
• Examples of such good faith uses or disclosures covered by this Notification include uses and disclosures for or to:
  • The Centers for Disease Control and Prevention (“CDC”), or a similar public health authority at the state level, for the purpose of controlling the spread of COVID-19, consistent with 45 C.F.R. § 164.512(b).
  • The Centers for Medicare and Medicaid Services (“CMS”), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the healthcare system as it relates to the COVID-19 response, consistent with 45 C.F.R. § 164.512(d).
• Note that the Notice does not waive the requirement for business associates and covered entities to transmit PHI for these purposes in accordance with the HIPAA Security Rule’s requirements to ensure secure transmission of ePHI.  Additionally, the Notification does not address how this may impact other federal or state laws, including breach of contract claims, that may apply to the uses and disclosures of this information. 

HHS and OCR emphasize in all of these guidance documents that except where required by law or for treatment disclosures, entities must make reasonable efforts to adhere to the minimum necessary standard.

HHS and OCR also offer guidance on permissible releases of PHI to:

• Family members and friends
• The media
• Emergency responders
• Public health officials
• Disaster relief organizations
• Correctional institutions and law enforcement
• Persons available to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety

https://www.cms.gov/about-cms/emergency-preparedness-response-operations/current-emergencies/coronavirus-waivers

https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf

https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf 

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf

https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf 

https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf 

[i] OCR mentions that texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage also are secure, but these applications presumably can’t be used for telehealth with the possible exception of store-and-forward visits (e.g., picture of rash).

[ii] OCR notes that it also will refrain from exercising enforcement discretion against covered entities under these circumstances.