Summary of Federal Privacy Guidance, Waivers, and Enforcement Discretion for Health Information Professionals

By Lauren Riplinger, JD


Enforcement Discretion Regarding COIVD-19 Community-Based Testing Sites (CBTS)1

During the COVID-19 national emergency, certain covered health care providers, including large pharmacy chains, and their business associates may choose to participate in the operation of COVID-19 specimen collection and testing sites (Community-Based Testing Sites, or CBTS). A CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

Effective March 13, 2020, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and will not impose penalties for noncompliance with HIPAA against all covered providers and their business associates in connection with good faith participation in the operation of a CBTS during the COVID-19 nationwide PHE. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.


Covered providers participating in good faith operation of a CBTS are encouraged to implement reasonable safeguards to protect the privacy and security of individuals’ PHI. Reasonable safeguards include the following:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.).
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic PHI.
  • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

Covered providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, however, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS.

This notification does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions. If an entity performs both plan and provider functions, the notification applies to the entity only in its role as a covered health care provider and only to the extent that it participates in a CBTS. The notification also does not apply to covered providers or their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered provider or business associate, unless otherwise stated by OCR.

For example:

  • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
  • A covered clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
  • A covered provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

The notification will remain in effect until the Secretary of HHS declares that the public health emergency (PHE) no longer exists or upon the expiration date of the declared PHE, including any extensions, whichever occurs first.

FBI Guidance on Defending Against VTC Hijacking and Zoom-bombing2

The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:

  • Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  • Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  • Ensure VTC software is up to date. See Understanding Patches and Software Updates.

CISA also recommends the following VTC cybersecurity resources:

Individual Posing as OCR Investigator

It has come to OCR’s attention that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.

HIPAA covered entities and business associates should alert their workforce members and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in, and asking for a confirming email from the OCR investigator’s email address. If organizations have additional questions or concerns, please send an email to: [email protected].

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI).  The FBI issued a public service announcement about COVID-19 fraud schemes.

HHS OCR Enforcement Discretion for uses and disclosures of PHI by Business Associated for Public Health and Health Oversight Activities3

Effective April 2, 2020, OCR will exercise its enforcement discretion and will not impose potential penalties against covered healthcare providers or their business associate under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) provided:

  • The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time.)

This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. Nor does this notification address the federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.

Examples of good faith uses or disclosures covered by this notification can be found here.

HHS OCR Guidance Regarding PHI of Individuals Exposed to COVID-194

The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities5 without the individual’s HIPAA authorization, in certain circumstances, including the following6:

  • When disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2).
  • When such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 CFR 164.512(a).
  • To notify a public health authority in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health authority (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 CFR 164.512(b)(1)(i); see also 45 CFR 164.501 (providing the definition of “public health authority”).
  • When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).
  • When disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 CFR 164.512(j)(1).
  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:
    • providing health care to the individual;
    • the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
    • law enforcement on the premises of the correctional institution; or
    • the administration and maintenance of the safety, security, and good order of the correctional institution. For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility. 45 CFR 164.512(k)(5).

General Considerations: Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose for the disclosure. 45 CFR 164.502(b).

In some cases, more than one provision of the HIPAA Privacy Rule may apply to permit a particular use or disclosure of PHI by a covered entity. Additional examples related to this guidance can be found here.

HHS OCR Enforcement Discretion for Telehealth Remote Communications7

OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.

A covered healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

Under the notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Under the notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered healthcare providers.

Covered healthcare providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.  The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Under the notice OCR will not impose penalties against covered healthcare providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

An OCR FAQ on telehealth and HIPAA during the COVID-19 public health emergency can be found here.

HHS OCR Waiver of Sanctions and Penalties8

In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b)
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

SAMHSA COVID-19 Public Health Emergency Response and 42 CFR Part 2 Guidance9

In accordance with the Centers for Disease Control and Prevention guidelines on social distancing, as well as state or local government-issued bans or guidelines on gatherings of multiple people, many substance use disorder treatment provider offices are closed, or patients are not able to present for treatment services in person. Therefore, there has been an increased need for telehealth services, and in some areas without adequate telehealth technology, providers are offering telephonic consultations to patients. In such instances, providers may not be able to obtain written patient consent for disclosure of substance use disorder records.

The prohibitions on use and disclosure of patient identifying information under 42 CFR Part 2 would not apply in these situations to the extent that, as determined by the provider(s), a medical emergency exists. Under 42 U.S.C §290dd-2(b)(2)(A) and 42 CFR §2.51, patient identifying information may be disclosed by a part 2 program or other lawful holder to medical personnel, without patient consent, to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained. Information disclosed to the medical personnel who are treating such a medical emergency may be re-disclosed by such personnel for treatment purposes as needed. SAMHSA notes that Part 2 requires programs to document certain information in their records after a disclosure is made pursuant to the medical emergency exception. SAMHSA emphasizes that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.10

Lauren Riplinger, JD, ([email protected]) is Vice President, Policy & Government Affairs, at AHIMA.

  1. HHS. Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS)
    During the COVID-19 Nationwide Public Health Emergency. Available at:
  2. Department of Homeland Security. CISA. FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing. Available at:
  3. Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. Available at:
  4. Office of Civil Rights. COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. Available at:
  5. Under HIPAA, “public health authority” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. 45 CFR 164.501 (definition of “public health authority”).
  6. The HIPAA Privacy Rule limitations only apply if the entity or individual that is disclosing protected health information meets the definition of a HIPAA covered entity or business associate. This guidance provides examples of disclosures from certain types of entities, some of which are covered by HIPAA, and others that may not be. While the entities in the examples are covered under HIPAA, the examples are not intended to imply that all public health authorities, 911 call centers, or prison doctors, for example, are covered by HIPAA and are required to comply with the HIPAA Rules.
  7. Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.
  8. COVID-19 & HIPAA Bulletin limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency. Available at:
  9. COVID-19 public health emergency response and 42 CFR Part 2 guidance. Available at:
  10. Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act enacted on March 27, 2020 will require an initial, affirmative, written consent from patients. Once the initial written consent of the patient has been obtained, a patient’s substance use health information may be used, disclosed or redisclosed by a covered entity, business associate or a Part 2 program for purposes of treatment, payment or healthcare operations as permitted under HIPAA. No later than 1 year after date of enactment of the CARES Act, shall HHS make the necessary revisions to the 42 CFR Part 2 regulation.
Bookmark AHIMA’s COVID-19 Resources
  • Journal of AHIMA—COVID-19. An authoritative source for healthcare-relevant news and perspectives on the global response to the COVID-19 pandemic. Click here.
  • COVID-19 Index. Continuously updated with resources, AHIMA news, and navigable links to public health and professional organizations. Click here.
  • AHIMA Engage—COVID-19 Community. A digital networking page to exchange ideas, information, and perspectives. Click here.

Leave a commentSyndicated from

Translate »
%d bloggers like this: