HIPAA Privacy Rule, PHI

HIPAA Privacy Rule Waiver in Response to COVID-19


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

During an emergency or public health crisis, some elements of the HIPAA Privacy Rule may be waived. As of March 15, 2020, the Secretary of the Department of Health and Human Services (HHS), issued an emergency Privacy Rule waiver in response to the COVID-19 health crisis to protect protected health information (PHI).

A HIPAA Privacy Rule waiver is issued to facilitate quick response to public health issues, temporarily waiving fines associated with certain disclosures. The following discusses the Privacy Rule waiver in more detail.

What Conditions Enable the HIPAA Privacy Rule Waiver?

There are two conditions that must be met before the Secretary may issue an emergency HIPAA Privacy Rule waiver:

  • The President declares an emergency or disaster; and
  • The Secretary of HHS declares a public health emergency.

In regards to the COVID-19 crisis, both conditions have been met. However, the waiver is a temporary measure, and only applies:

  • To the area identified in the public health emergency declaration.
  • To covered entities that have instituted a disaster protocol.
  • For up to 72 hours from the time the disaster protocol is implemented.

If the President or Secretary terminates the emergency declaration, the Privacy Rule waiver no longer applies.

Which HIPAA Privacy Rule Provisions are Waived?

The HIPAA Privacy Rule waiver applies to the following:

  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.
  • The requirement to obtain a patient’s consent to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt-out of a covered entity’s facility directory.

Under the Privacy Rule waiver, protected health information may be disclosed, without prior patient consent, to public health authorities to protect public health and safety. Additionally, PHI may be disclosed without prior consent to individuals involved in the patient’s care such as family members, friends, and caregivers.

Minimum Necessary Standard and Emergencies

Even in the case of emergency, the minimum necessary standard must be upheld. All disclosures of PHI must be restricted to what is necessary for public health and safety.

For more information on HIPAA Privacy Rule Waivers, please click here.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x