HHS Waives Some HIPAA Sanctions During the Coronavirus Pandemic


By: David Cole

The HHS Office for Civil Rights (OCR) issued two important bulletins this week in response to the coronavirus pandemic. Each one announced that OCR will temporarily waive certain sanctions and penalties for noncompliance with HIPAA Rules to help deliver care to people in need.
Limited Waiver for Privacy Rule Requirements
First, OCR issued a Limited Waiver of HIPAA Sanctions and Penalties for not complying with certain parts of the Privacy Rule. Specifically, the Waiver says that healthcare providers will not be sanctioned or penalized for not complying with the following usual requirements:

  • The requirement to obtain a patient’s consent before speaking with family members or friends involved in the patient’s care;
  • The requirement to honor a request to opt-out of the facility directory;
  • The requirement to distribute a Notice of Privacy Practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The Waiver became effective on March 15, 2020, but currently only applies (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. It is unclear if OCR will extend the time for this Waiver given the widespread and potentially prolonged nature of the coronavirus outbreak. A copy of the bulletin is available here.
Video Technology Allowed for Telemedicine
Second, OCR issued a Notification of Enforcement Discretion allowing healthcare providers to use “any non-public facing remote communication product that is available” to communicate with patients to provide telehealth during the coronavirus national emergency. As examples, OCR said it will allow healthcare providers to use video chat application like Apple FaceTime, Facebook Messenger, Google Hangouts, or Skype, to provide telehealth without risk of penalty for noncompliance with HIPAA Rules. However, Facebook Live, Twitch, TikTok, and other similar public-facing video applications are not allowed. Healthcare providers are still expected to enter into Business Associate Agreements with the technology companies providing the video communication services, but OCR says it will not impose penalties for failing to do so during the time of the national emergency. A copy of the Notice is available here.
Additional information: 
The FMG Coronavirus Task Team will be conducting a series of webinars on Coronavirus issues every day for the next week. We will discuss the impact of Coronavirus for companies in general, but also for business in insurance, healthcare, California specific issues, cybersecurity, and tort. Click here to register.
FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the Coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.
You can also contact your FMG relationship partner or email the team with any questions at
**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**