The Department of Health and Human Services has issued a number of waivers in the wake of the COVID-19 (Coronavirus) public health emergency.  In this context, a “waiver” refers to a statement by Health and Human Services (HHS) that it will not impose penalties for noncompliance with certain regulatory requirements under HIPAA rules.  In addition, HIPAA contains built-in flexibility for covered entities during a public health emergency.


Telecommunications with Patients.

The Office for Civil Rights (OCR) at HHS has issued a waiver that has the practical effect of permitting physicians to communicate with their patients via certain video communication platforms that may not be HIPAA compliant.  Platforms that are not included within the waiver are public facing products such as Facebook Live, Twitch, and TikTok.  Platforms that were specifically mentioned in the waiver are FaceTime, Facebook Messenger, Skype, and Google Hangouts.  In addition, the announcement listed several platforms that are HIPAA compliant and have agreed to enter into HIPAA business associate agreements (BAAs).  These platforms will provide additional privacy protections and include:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet

OCR has indicated that this is not a complete list of HIPAA compliant platforms and stressed that the provider may use any non-public facing remote communication product that is available to communicate with patients.

Information Disclosures by Hospitals

HHS Secretary Alex M. Azar has exercised the authority to waive sanctions and penalties against hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care.
  • the requirement to honor a request to opt-out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient's right to request privacy restrictions.
  • the patient's right to request confidential communications.

The waiver became effective on March 15, 2020 and applies only (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.


Existing HIPAA rules provide flexibility in sharing information during a public health emergency:

Treatment. Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient.

Public Health Concerns.  Covered entities may disclose information without patient authorization to public health authorities (or at the direction of a public health authority) and to persons at risk.  Generally speaking, disclosures to persons at risk involve information necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Family, Friends, and Others Involved in an Individual’s Care.  Generally, these types of disclosures are limited to individuals identified by the patient as being involved in his or her care, or as necessary by the covered entity to identify persons responsible for the patient’s care.  There are some guidelines that should be followed when disclosures are made to those involved in an individual’s care.  The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information if, in their professional judgment, doing so is in the patient’s best interest.  If a patient is unconscious or incapacitated, a health care provider may share information if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

Disclosures to Prevent a Serious and Imminent Threat.  Health care providers may share patient information with anyone as necessary to lessen an imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.  In all cases listed above, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.

If you have any questions, please feel free to call Cohen Legal Group at 954.617.6500 or email us at info@accidentinjurycounsel.com.