Guidance from OCR: COVID and HIPAA


The HIPAA Privacy Rule requirements have been a challenge to healthcare providers due to the unusual circumstances caused while treating patients during the COVID-19 pandemic. The Office for Civil Rights (OCR) has monitored the situation and taken steps to ensure healthcare is not compromised while still safeguarding the integrity of protected health information.  It is likely HIPAA and COVID will remain an important topic for some time to come.

The OCR has provided Bulletins, Notifications of Enforcement Discretion, Guidance, and Resources that help explain how patient health information may be used and disclosed in response to the COVID-19 nationwide Public Health Emergency (PHE).

Below is a summary of recent bulletins published by the OCR to assist covered entities and business associates as they address the Privacy Rule during the PHE.

In February 2020 the OCR submitted a Bulletin which described how patient information may be shared under the HIPAA Privacy Rule during the COVID-19 outbreak.

  1. PHI may be disclosed without first receiving authorization from a patient for treatment purposes. PHI may be disclosed to coordinate and manage care for patient referrals and consultations with other healthcare providers.
  2. It is permissible to share PHI for Public Health Activities with public health authorities such as the CDC, state and local health departments, and others authorized by law for preventing and controlling disease and ensuring the safety of the public.
  3. Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification are permitted with verbal consent, if it may be reasonably inferred the patient agrees or based on professional judgement if the patient is incapacitated.
  4. Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to the health and safety of a specific person or the public in general, provided such disclosures are permitted under other laws.

Telehealth Remote Communications

On March 17, 2020 the OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 PHE.  The OCR will exercise its enforcement discretion and will waive potential penalties for HIPAA noncompliance against healthcare providers that serve patients through the use of communication applications that may not be fully compliant with HIPAA during the COVID-19 PHE.  This exercise of discretion applies to many communications apps, such as Zoom, FaceTime, Facebook Messenger video chat or Skype, as long as they are used in good faith for telehealth treatment or diagnostic purpose.  The service does not have to be directly related to COVID-19.

First Responders, PHI & COVID

On March 24, 2020,  the OCR issued guidance on how to deal with infected individuals or those exposed to COVID – 19 who must be treated by law enforcement, paramedics, other first responders, and public health authorities and still be in compliance with HIPAA.   This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

A covered entity may disclose PHI such as a name and identifying information without a HIPAA authorization when needed to provide treatment; when required by law; when first responders may be at risk for an infection; and when disclosure is necessary to prevent or lessen a serious and imminent threat.

Civil Rights Laws and HIPAA

The OCR issued a Bulletin on March 28, 2020 to  reminds entities to covered by civil rights authorities to keep in mind their obligations under laws and regulations that prohibit discrimination on the basis of race, color, national origin, disability, age, sex, and exercise of conscience and religion in HHS-funded programs, included in the provision of health care services during COVID-19.  The intention is to ensure that covered entities do not unlawfully discriminate against people with disabilities when making decisions about their treatment during the COVID-19 health care emergency.

Uses and Disclosures of PHI by Business Associates

On April 2, 2020 the OCR issued a Notification of Enforcement Discretion in order to support Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI.

The OCR will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

Community-Based Testing Sites

On April 9, 2020 the OCR issued a Notice of Enforcement Discretion in order to support covered health care providers, including pharmacy chains, and their business associates that may choose to participate in the operation of a Community Based-Testing Site (CBTS), which includes mobile, drive-through, or walk-up sites,  that provide COVID-19 specimen collection or testing services to the public.

The OCR indicated it will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.  The enforcement discretion is retroactive to March 13, 2020.

Media Access to Protected Health Information

On May 5, 2020 the OCR issued Guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.

The OCR makes clear  that during the current COVID-19 health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before access is given to that PHI.  The guidance indicates that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient and prior authorization is required.

Contacting Patient About Blood & Plasma Donations

On August 24, 2020 the OCR issued Guidance on how the HIPAA Privacy Rule permits covered health care providers to contact their patients who have recovered from COVID-19 to inform them about how they can donate their blood and plasma containing antibodies to help other patients with COVID-19.  This guidance explains how health care providers can connect COVID-19 survivors with blood and plasma donation opportunities and further public health consistent with patient privacy.  The guidance makes it clear that without patients’ authorization, the providers cannot receive any payment from or on behalf of a blood and plasma donation center in exchange for such communications with recovered patients.

Use of Online or Web-Based Scheduling Applications for Scheduling Vaccination Appointments

On January 1 9, 2021 the OCR published a Notification of Enforcement Discretion retroactive to December 11, 2020 that it will not impose penalties for violations of the HIPAA Rules on covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications (for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency.

The Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.

Health Information Exchanges

On December 18, 2020 the OCR shared a Notification to highlight how HIPAA supports the use of health information exchanges (HIEs) in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.

The OCR issued guidance on how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered entities and their business associates to use health information exchanges to disclose PHI for the public health activities of a public health authority.


Throughout the public health emergency, the OCR continues to give healthcare providers guidance on how best to protect PHI and still manage the COVID pandemic. The OCR continues to emphasize the necessity to follow the Privacy Rule as it addresses most scenarios faced during the treatment of patients affected by the virus. Providers continue to have the right to disclose PHI for treatment and to public health authorities to ensure public safety. PHI may be disclosed to help prevent and lessen a serious and imminent threat to a specific person or the public in general, provided such disclosures are permitted under other laws. In addition PHI may be disclosed through certain tele-health tools which may not be HIPAA compliant as long as precautions are taken.

The OCR continues to support community based testing sites as long as there are good faith efforts to protect PHI in the operation of the testing sites during the PHE.

Media must be aware of the rights of patients and make all efforts to protect PHI before addressing patients.

Patients may be contacted  for donation of blood for COVID treatment purposes as long as payment is not received by providers.

Web-based scheduling is a reasonable response to scheduling COVID vaccinations as long as reasonable safeguards are used in these efforts.

COVID will be with us for some time, consequently covered entities and business associates should review OCR guidance to address concerns and to stay up to date with the latest news.