Skip to Content

HIPAA Waivers and What Healthcare Providers Need to Know


Telemedicine Waiver

In order to access patients outside of the physician office or hospital setting, the President of the United States on March 17, 2020 granted a waiver of enforcing the HIPAA Security rules to permit the use of smart phones and non-public facing telecommunication devices to facilitate telehealth visits without requiring secure telecommunication systems through contracted business associates.

Specifically, the Department of Health and Human Services (“DHHS”) Office of Civil Rights (“OCR”) will waive penalties for HIPAA violations against healthcare providers who serve patients in good faith through the use of audio or video communication technology during the COVID-19 nationwide public health emergency. Healthcare providers can use any non-public facing remote communication product that is available to communicate with patients. Further, healthcare providers can use the non-public facing communication tools for any reason, not just for the diagnosis and treatment of COVID-19.

Some examples of non-public facing technology identified by OCR include the following:

Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. However, it does not include FaceTime Live, TikTok or Twitch because the applications are public facing.

In addition, OCR has exercised its discretion not to enforce the requirement for the healthcare provider to have a business associate agreement with the communication vendor.

Therefore, healthcare providers can access patients in locations such as the patient’s residence, office, home or other already approved originating sites to provide telehealth visits using common smart phone applications and non-public facing video chats, desktop computer applications or smart phone.

In providing telemedicine services during this time of crisis, healthcare practitioners should take the following actions:

  1. Ensure the patient is aware and consents to the use of unsecure transmission of the telehealth visit;
  2. Ensure the patient is aware that he or she is responsible for his or her surroundings and protecting the disclosure of his or her health information to a third party;
  3. Healthcare practitioners (i.e. physicians, advanced practice registered nurses or physician assistants) should implement safeguards to physically separate himself or herself from the public or third parties to protect the patient’s information; and
  4. Document in the medical record the practitioner’s findings, diagnosis and clinical documentation in the same manner the documentation would be used for an in-person visit.

It is imperative that healthcare providers only use this method of communicating with patients during the national and public health emergency time period.

Limited Privacy Rule Waiver

In addition to the Telemedicine HIPAA Security Rule waiver, the DHHS provided limited waivers to allow hospitals to relax some procedures during a disaster protocol. Specifically, effective on March 15, 2020, DHHS granted a waiver for enforcing HIPAA fines and penalties against hospitals that have implemented a disaster protocol for failure to comply with:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b).

This waiver is limited to the following conditions:

  1. in the emergency area identified in the public health emergency declaration;
  2. to hospitals that have instituted a disaster protocol; and
  3. for up to 72 hours from the time the hospital implements its disaster protocol. (Note: When the Presidential declaration of a national emergency or the Secretary of DHHS declaration of a public emergency terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since the implementation of its disaster protocol.)
CMS March 2020 COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency