Coronavirus Regulatory and Legal-HIPAA

Coronavirus Regulatory and Legal-HIPAA

Home / COVID-19 Information and Resources / Coronavirus Regulatory and Legal-HIPAA

March 26, 2021

Click here to download a PDF version of this page

Legal Helpline is available at (720) 858-6030—Monday–Friday 8am to 5pm MST

COPIC reminds our insureds during this time of the applicability of HIPAA laws as it relates to social media posts and acts within facilities. Specifically, we ask that insureds remain aware of these laws when posting photos to social media accounts as well as general professionalism standards. Insured facilities should take this time to remind their workforce members of policies and procedures regarding photos taken on personal devices. 

The following references provide details as to the current laws. 

HIPAA and Telemedicine
OCR will waive potential HIPAA penalties for good faith use of telehealth during the epidemic. HIPAA-covered health care providers may communicate with patients with any non-public facing remote communication product available to communicate with patients. In January 2021, the OCR expanded this waiver of HIPAA penalties to cover the good faith use of online or web-based scheduling applications to schedule appointments for COVID-19 vaccinations. The waivers apply until the emergency declaration terminates. 

When considering providing telehealth services out-of-state in response to testing, treatment, and care of patients with COVID-19, providers should access state medical board sites for the latest information regarding guidance for health care professionals not currently licensed in the state.

For more information, please see:
• and

Waiver of Certain HIPAA Requirements – Covered Hospitals
The Secretary of the Department of Health and Human Services (“Secretary”) has waived sanctions and penalties, beginning March 15, 2020, against a covered hospital that does not comply with the following requirements of the HIPAA Privacy Rule: 
• The requirement to obtain a patient’s agreement to speak with family members or friends;
• The requirement to honor a request to opt out of the facility directory;
• The requirements to distribute a notice of privacy practices;
• The patient’s right to request privacy restrictions; and, 
• The patient’s right to request confidential communications. 

This waiver only applies to the above provisions, and only in an emergency area identified in the public health emergency declaration (nationwide) to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements said disaster protocol. Once the emergency declaration terminates, the hospital must comply with the Privacy Rules for any patient under its care, even if 72 hours have not elapsed since the implementation of the disaster protocol. The remainder of the HIPAA Privacy Rule remains intact.

The bulletin also contains an informative discussion of how HIPAA applies in emergencies, including a description of when the sharing of patient information is permitted for treatment, public health activities, and to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, without patient authorization.

A link to the Secretary’s declaration can be found below, which includes a link to the HIPAA Privacy Rule.

Disclosures to First Responders 
OCR issued guidance on how covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the HIPAA Privacy Rule.

The guidance explains that a covered entity may disclose PHI about a patient, without a HIPAA authorization:
• When needed to provide treatment;
• When required by law
• When first responders may be at risk for an infection; and
• When disclosure is necessary to prevent or lessen a serious and imminent threat

OCR provides several illustrative examples applicable to a public health emergency of when disclosures of PHI to first responders and others is permitted so they can take extra precautions or use personal protective equipment. Except when required by law, or for treatment, only the “minimum necessary” should be disclosed. 

For further information, please see 

Disclosures by Business Associates for Public Health and Health Oversight Activities
On April 2, 2020, OCR announced that it will waive any potential penalties for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. This includes disclosures to the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers that need access to COVID-19 related data, including PHI. The HIPAA Privacy Rule already permits covered entities to provide this data, and now business associates are also permitted to share this data without risk of a HIPAA penalty.

For further information, please see 

Disclosures at Community-based Testing Centers (mobile, drive-up or walk-up)
On April 9, 2020, OCR announced that it will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith participation in the operation of a COVID-19 mobile, drive-up or walk-up testing site during the COVID-19 nationwide public health emergency. Nevertheless, providers are encouraged to implement reasonable safeguards, including:
• Disclosing only the minimum PHI necessary except for treatment purposes.
• Setting up canopies or opaque barriers during the collection of samples.
• Controlling foot and car traffic to create adequate distancing (six feet) to minimize the ability of persons to see or overhear screening interactions.
• Establishing a “buffer zone” to prevent the media or public from observing
or filming individuals at the testing center and posting signs prohibiting filming.
• Using secure technology to record and transmit electronic PHI.
• Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP
online, if applicable, in a place that is readily viewable by individuals at a testing center.

Penalties will not be assessed for noncompliance as long as the provider is acting in good faith. The relaxed enforcement only applies at the testing site and does not apply at any other locations.

For additional information, please see: 

On June 12th, OCR issued guidance for health care providers wishing to contact former COVID-19 patients for blood and/or plasma donation. 

Under this guidance, a health care provider is permitted to use PHI in order to contact patients who have recovered from COVID-19 regarding blood and/or plasma donations without an authorization. This is considered a health care operation, more specifically, a population-based activity aimed at improving health. However, providers need to be mindful that any recommendation to a specific blood and/or plasma donation center in which any direct or indirect payment is received, is strictly prohibited.  A recommendation to a specific blood and/or plasma donation center where there is no direct or indirect payment is allowed.

It is worth noting that the exception outlined above does not include a provider disclosing PHI directly to the blood and/or plasma donation center (who, in turn contact the recovered patient). This is considered marketing and a properly executed authorization from the recovered patient is required for this type of disclosure.

The full guidance can be found at: