In March 30, 2020, the OCR released a notification which stated: ‘During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules. OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately’.
This announcement highlights OCR’s willingness to adopt a flexible approach in times of crisis. However, this discretion does not mean that HIPAA enforcement is completely suspended.
During public health emergencies, the OCR may exercise "enforcement discretion" regarding certain HIPAA requirements. This means:
The OCR has issued notices of enforcement discretion, providing temporary flexibility in enforcing certain HIPAA requirements while still emphasizing the need for reasonable privacy safeguards. For example, in a March 30, 2020 notification, the OCR announced that it would not impose penalties for noncompliance with HIPAA Rules related to the good faith provision of telehealth during the COVID-19 emergency.
Under 45 CFR § 160.410, covered entities and business associates may raise affirmative defenses against HIPAA violations if they can demonstrate that they did not know—and, through reasonable diligence, could not have known—about the violation. Additionally, if a violation was due to reasonable cause and not willful neglect, and corrective action was taken within 30 days of discovery, penalties may be avoided. This provision is relevant during emergencies when healthcare providers must make rapid decisions under extraordinary circumstances. If an organization can show that it acted in good faith and made reasonable efforts to comply with HIPAA, it may avoid penalties even if a technical violation occurred.
Even during emergencies, organizations can face penalties for HIPAA violations. The four-tier penalty structure as outlined in 45 CFR § 160.404 remains in effect:
Healthcare organizations must adhere to HIPAA's security and compliance requirements, ensuring proper documentation, risk analysis, and staff training. 45 CFR § 164.316 provides that covered entities maintain written policies and procedures for HIPAA security compliance, including documentation of any changes made during a crisis. Additionally, 45 CFR § 164.308(a)(1)(ii)(A) requires organizations to conduct risk analyses to identify potential vulnerabilities and assess security risks. Workforce training is also essential, as outlined in 45 CFR § 164.308(a)(5)(i), which mandates security awareness and training programs for employees. Best practices include documenting all HIPAA-related decisions, keeping detailed records of privacy and security modifications, maintaining regular communication with compliance officers and legal counsel, monitoring OCR guidance on enforcement discretion, and returning to standard compliance practices as soon as the emergency ends.
45 CFR § 164.312(a)(1) requires organizations to implement access controls to protect protected health information (PHI), ensuring that only authorized personnel can access sensitive data. Additionally, 45 CFR § 164.306 establishes general security standards for electronic protected health information (ePHI), requiring organizations to safeguard data against potential breaches. Strategies include conducting regular risk assessments, maintaining updated emergency protocols, training staff on modified procedures, implementing robust documentation practices, and promptly monitoring and reporting potential violations.
The Breach Notification Rule, outlined in 45 CFR §§ 164.400–164.414, requires covered entities and business associates to provide notifications following a breach of unsecured PHI. Under § 164.404(a), when a breach occurs, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If the breach affects 500 or more individuals, § 164.406 requires notification to prominent media outlets in the affected region. Additionally, under § 164.408, breaches impacting 500 or more individuals must be reported to the Secretary of the HHS immediately, while smaller breaches must be reported annually.
Incident response procedures are also governed by these provisions, requiring organizations to document and investigate breaches under § 164.414(a). This includes conducting a risk assessment, considering factors such as the nature of the PHI involved, unauthorized persons who accessed it, whether the PHI was actually acquired or viewed, and the extent of risk mitigation. Organizations must maintain written records of breach incidents and their responses to demonstrate compliance.
Enforcement discretion allows the OCR to temporarily relax certain HIPAA requirements during emergencies.
Yes, standard HIPAA penalties remain in effect even during emergencies.
If a violation occurs, organizations should document the incident, take corrective actions, and report the breach as needed to minimize the risk of penalties.