Thought Leadership

HIPAA Privacy Rule Largely in Force During Pandemic

Client Updates

Following Health and Human Services (“HHS”) Secretary Azar’s declaration of a public health emergency on January 31 and President Trump’s national emergency declaration on March 13, Secretary Azar temporarily suspended certain HIPAA confidentiality provisions and sanctions, to allow the sharing of patient information in connection with the Novel Coronavirus (COVID-19) outbreak. HIPAA’s Privacy and Security Rules remain unchanged for the vast majority of covered entities, including health insurance companies, health care clearinghouses, and health care providers other than those providing telehealth services and hospitals that have instituted a disaster protocol. Covered entities should continue following established internal guidelines and best practices to protect the privacy and security of health information.

Under Secretary Azar’s limited waiver of HIPAA sanctions and penalties, the Privacy Rule is not suspended in toto; the waiver is applicable only to covered hospitals (i.e., those that have implemented a disaster protocol, for up to 72 hours from the time of implementation) and, even then, only with respect to a confined set of provisions—the requirements to honor a request to opt out of a facility directory [45 CFR 164.510(a)], to obtain a patient’s agreement to speak with others involved in the patient’s care [45 CFR 164.510(b)], and to distribute privacy notices [45 CFR 164.520], and a patient’s right to request privacy restrictions [45 CFR 164.522(a)] and confidential communications [45 CFR 164.522(b)]. The waiver addresses the emergent nature of the COVID-19 pandemic, but does not alter previously-recognized limitations of the Privacy Rule; even without a waiver, patient information may be disclosed in certain circumstances, such as where disclosure is necessary for patient treatment or to a public health authority involved in preventing or controlling disease (e.g., Centers for Disease Control and Prevention).

To facilitate and promote remote communication methods between providers and patients during the COVID-19 public health emergency, HHS has also suspended enforcement of HIPAA penalties for providers using non-public facing audio or video methods of communication. The waiver of penalties in connection with the remote provision of medical services, as well as the waiver for covered hospitals, are both limited and temporary in nature. Accordingly, covered entities should continue to safeguard protected health information through established policies and procedures.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit


Related Professionals