COVID-19 Pandemic Results in Easing of HIPAA Enforcement by HHS

by | Apr 6, 2020

It has been announced that the Department of Health and Human Services (HHS) will be easing the sanctioning of penalties in relation to specific data privacy breaches during the COVID-19 pandemic.

The Notice of Enforcement Discretion applies to breaches of the HIPAA Privacy Rule by healthcare providers and their business associates for good-faith disclosures of protected health information for public health purposes during the current health crisis.

The HIPAA Privacy Rule states that business associates of HIPAA-covered entities are only permitted to share protected health information for specific reasons detailed in their business associate agreement (BAA) with a HIPAA-covered entity. The temporary Notice of Enforcement Discretion states that the OCR will not sanction penalties in relation to the disclosure of protected health information if the business associate makes good-faith uses or disclosures for public health activities and informs the covered entity of the use or disclosure within 10 business days.

The announcement was made last week to improve data sharing with public health agencies such as the Centers for Medicare and Medicaid Services (CMS) and the Centers for Disease Control and Prevention, as they require access to COVID-19 related data which may include protected health information to achieve their objectives.

In relation to the move, OCR director Roger Severino commented: “The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.

OCR explained that the Notice of Enforcement Discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules.

Sanctions and penalties will not be imposed on covered entities that do not comply with the following provisions of the HIPAA Privacy Rule, as of March 15, 2020:

  • All requirements to obtain a patient’s permission to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • All requirements to respect a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • All requirements to share a notice of privacy practices. See 45 CFR 164.520.
  • The right to request privacy restrictions for a patient. See 45 CFR 164.522(a).
  • The right to request confidential communications oi a patient. See 45 CFR 164.522(b).

The Notice of Enforcement Discretion will remain in effect for the duration of the COVID-19 public health emergency or until the HHS Secretary declares the public health emergency is over.

OCR Director Roger Severino also stated: “HHS is committed to leaving no one behind during an emergency, and this guidance is designed to help health care providers meet that goal. Persons with disabilities, with limited English skills, or needing religious accommodations should not be put at the end of the line for health services during emergencies. Our civil rights laws protect the equal dignity of every human life from ruthless utilitarianism.”


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy