The HIPAA-Potamus in the Room: HIPAA During the COVID-19 Pandemic

HIPAA and COVID-19

In light of the novel COVID-19 pandemic, it is now more important than ever to make sure you are complying with patient privacy matters. HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored Protected Health Information in a manner that maintains the records’ confidentiality, integrity, and availability. Even during the pandemic, covered health care providers must do the following:

  • Carefully identify potential risks and vulnerabilities;
  • Protect against reasonably-anticipated threats or hazards to the security of confidential information;
  • Protect against reasonably-anticipated impermissible uses or disclosures;
  • Ensure compliance by their employees; and
  • Provide access to usable electronically-stored Protected Health Information to authorized persons on demand. 

However, on March 15, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) waived certain provisions of the HIPAA Privacy Rule. HHS will waive sanctions and penalties arising from a hospital’s noncompliance with the following:

  • The requirement to obtain a patient’s agreement to speak with family members or friends;
  • The requirement to honor a patient’s request to opt out of the facility directory;
  • The requirement to distribute a notice of privacy practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The waiver applies only to hospitals in an emergency area as identified in a public health emergency declaration, that have instituted a disaster protocol. In addition, the waiver only lasts for seventy-two hours after the disaster protocol is initiated.

Moreover, under a public health emergency, like the current COVID-19 pandemic, the HIPAA Security Rule does allow covered entities and business associates to disclose Protected Health Information in the following certain situations, even if the covered entity or business associate does not apply for the recent waiver:

  • Protected Health Information about the patient as necessary to treat the patient or to treat a different patient;
  • To a public health authority that is authorized by law to collect or receive such information;
  • To persons at risk of contracting or spreading a disease if other law authorizes it to prevent or control the spread of the disease or carry out public health activities;
  • To a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
  • To a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death; or
  • With anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.

It is also important to remember that HIPAA requires a risk analysis and security assessment if the following has occurred:

  • When an entity has experienced a security incident;
  • A change in ownership;
  • Turnover in key staff; or
  • When the entity is planning to incorporate new technology.

Healthcare activities are being affected by the current COVID-19 crisis and one or more of the aforementioned actions may occur.  If so, risk analysis may be called for.

During this pandemic, HIPAA, HITECH, and state medical privacy laws are still applicable and, even with waivers, care should be exercised in all patient privacy matters.

For more information, contact Board Certified health care attorney Scott Chase.


Scott Chase, JD, has practiced health law, corporate law, and intellectual property law for more than 40 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization. Mr. Chase is a partner at Farrow-Gillespie Heath Witter, LLP. His primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues, such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Copyright 2019 Farrow-Gillespie Heath Witter LLP