COVID-19 Support Group HIPAA Considerations: A Practical Privacy and Compliance Guide

HIPAA Applicability to Support Groups

HIPAA applies when a support group is operated, sponsored, or documented by a covered entity or its business associate and the group handles Protected Health Information (PHI). If your hospital, clinic, health plan, or affiliated vendor runs the group, treat everything the organization collects or maintains about participants as PHI.

When a support group is HIPAA-covered

• The group is facilitated by a provider or health plan workforce member as part of treatment, care management, or operations.
• Attendance, screening, or session notes are stored in an EHR, scheduling system, or other records controlled by the covered entity.
• Third-party platforms (video, texting, apps) are used on behalf of the organization, triggering business associate obligations.

Core obligations for Covered Entity Compliance

• Designate a privacy lead for the group and apply the Minimum Necessary Standard for non-treatment uses and disclosures.
• Execute Business Associate Agreements (BAAs) with any vendor that handles PHI (video platform, transcription, cloud storage).
• Fulfill Security Rule safeguards for e-PHI: risk analysis, access controls, audit logs, breach response, and workforce training.
• Provide appropriate notices and obtain authorizations when required (for example, if using photos, testimonials, or recordings beyond treatment or operations).

Remember that information a participant shares aloud is not automatically PHI; it becomes PHI when your organization creates or maintains a record of it. Be intentional about what you collect and why.

HIPAA Applicability to Peer-Led Groups

Peer-led or community-run groups that are not created, sponsored, or documented by a covered entity or business associate generally fall outside HIPAA. Individuals may share their own health information freely, and peer facilitators are not bound by HIPAA unless they act on behalf of a covered entity.

However, privacy still matters

• Set clear ground rules: confidentiality, consent before sharing others’ stories, and no recording without permission.
• Collect only what is essential (first name or alias is often sufficient). Avoid rosters that combine names with diagnoses.
• If you store any personal information, secure it with strong passwords and limit access; state consumer privacy or confidentiality laws may still apply.

When a peer group partners with a clinic—using its staff, systems, or funding—it can become HIPAA-covered. Clarify who is running the group and who controls the data before the first meeting.

Privacy Measures for Support Groups

Foundational practices

• State the purpose of the group and define what counts as PHI in your context (names paired with conditions, treatment dates, contact info).
• Adopt the Minimum Necessary Standard: collect, use, and disclose only what is needed for facilitation and follow-up.
• Use first names or initials in group settings; separate clinical notes from group logistics when possible.

Handling PHI in shared settings

• Avoid visible sign-in sheets that expose diagnoses; use discreet check-in or digital registration with privacy screens.
• Prohibit photos, screenshots, and recordings unless you have explicit, written authorization for a defined purpose.
• When sharing success stories, de-identify details (no unique dates, locations, or rare conditions) unless you have authorization.

Data Encryption Standards and secure configuration

• Encrypt data in transit with TLS 1.2+ and data at rest with AES-256 or equivalent; prefer solutions using FIPS 140-2/140-3 validated modules.
• Enable multifactor authentication for facilitators; restrict admin privileges; turn on waiting rooms and meeting locks for virtual sessions.
• Disable cloud recording by default. If recording is necessary, store it in an approved repository with access logs and retention limits.

Documentation and training

• Maintain a written protocol covering admission, confidentiality, escalation for safety concerns, and incident response.
• Train all facilitators—staff and volunteers—on privacy rules, device hygiene, and how to prevent inadvertent disclosures.
• Review vendor BAAs annually and test your breach response plan with realistic scenarios.

Telehealth and HIPAA During COVID-19

During the COVID-19 emergency, federal Enforcement Discretion allowed good-faith telehealth using non-public-facing tools. That temporary flexibility supported continuity of care and group-based education when in-person meetings were restricted.

What applies now

• Use HIPAA-compliant platforms with BAAs; verify encryption is enabled end to end where available.
• Configure Telehealth Privacy Rules: unique meeting IDs, waiting rooms, host-only screen sharing, name display controls, and participant removal options.
• Confirm participant identity privately when needed, obtain a call-back number and emergency location, and document consent for virtual participation.
• For hybrid groups, separate clinical interactions from community discussion to minimize PHI exposure.

If your organization integrated temporary tools during the pandemic, complete a post-emergency risk analysis, migrate any residual data to approved systems, and terminate access to sunset platforms.

Expiration of COVID-19 Public Health Emergency HIPAA Notifications

The federal COVID-19 Public Health Emergency ended on May 11, 2023. On that date, OCR’s pandemic-era HIPAA Enforcement Discretion notices expired. OCR allowed a 90-day transition for telehealth compliance that concluded on August 9, 2023. From that point forward, normal HIPAA enforcement fully resumed.

What expired

• Good-faith use of non-public-facing telehealth tools without full HIPAA safeguards.
• Flexibility for Community-Based Testing Sites (CBTS) to operate without certain HIPAA penalties.
• Temporary permissions affecting some business associate disclosures and certain web-based scheduling tools deployed for COVID-19 activities.

Post-PHE action steps

• Validate that every tool handling PHI is under a BAA and meets your security baseline.
• Purge or archive pandemic-era recordings and chat logs per retention policy; restrict lingering admin accounts.
• Reinforce workforce training on standard HIPAA rules and document your return-to-standard controls.

Disclosures to Public Health Authorities

HIPAA permits Covered Entity Compliance disclosures of PHI to public health authorities for disease prevention, control, surveillance, and reporting. You may also disclose to persons at risk when authorized by law or at the direction of a public health authority.

Applying the Minimum Necessary Standard

• Limit disclosures to what is reasonably necessary for the stated public health purpose.
• When a public health authority specifies the data it needs, you may reasonably rely on that request as the minimum necessary.
• If a statute or order requires a disclosure, share what the law requires and retain documentation of the request.

Documentation and accountability

• Verify the identity and legal authority of the requester.
• Record the legal basis, scope of PHI disclosed, and date. Maintain an accounting of disclosures as required.
• Educate facilitators to route public health requests to your privacy officer rather than responding ad hoc.

HIPAA Flexibility for COVID-19 Testing Sites

During the emergency, OCR exercised Enforcement Discretion for community-based COVID-19 testing sites so providers could operate drive-through and walk-up locations in good faith without certain HIPAA penalties. That flexibility ended on May 11, 2023; standard HIPAA rules now apply to any testing conducted in connection with support group activities.

Practical setup after the PHE

• Use privacy screens or separate areas to avoid incidental disclosures; keep lines spaced and signage neutral.
• Collect only essential data, secure it immediately, and store results in approved clinical systems.
• Ensure staff and volunteers understand what constitutes PHI and how to prevent disclosures during registration and specimen handling.

If a community partner conducts testing on your premises, confirm roles in writing, execute BAAs if they will create or receive PHI on your behalf, and align on incident response.

FAQs

When does HIPAA apply to COVID-19 support groups?

HIPAA applies when a covered entity (such as a clinic, hospital, or health plan) or its business associate runs the group and creates or keeps records containing PHI. If the group is facilitated by organizational staff, uses the organization’s systems, or integrates with clinical care, treat it as HIPAA-covered. Purely peer-led groups that are independent of covered entities are typically outside HIPAA.

How should support groups handle participant Protected Health Information?

Collect the minimum necessary, avoid public sign-in sheets that reveal conditions, prohibit recording without written authorization, and store any PHI in approved systems with encryption and access controls. Use HIPAA-ready platforms under BAAs, enable waiting rooms and meeting locks, and train facilitators on privacy, de-identification, and breach response.

What are the privacy requirements for telehealth during COVID-19?

During the emergency, OCR allowed good-faith use of non-public-facing tools for telehealth. That temporary Enforcement Discretion ended with the public health emergency on May 11, 2023, followed by a 90-day transition that closed on August 9, 2023. Today you must use HIPAA-compliant platforms, execute BAAs with vendors, and configure strong privacy and security controls.

When did the HIPAA enforcement discretion for COVID-19 end?

OCR’s COVID-19 HIPAA Enforcement Discretion ended on May 11, 2023, the last day of the federal public health emergency. For telehealth, OCR provided a 90-day transition period that ended on August 9, 2023. Since then, full HIPAA compliance is required for all covered activities.