HIPAA Privacy Rule and COVID: Compliance Requirements, Permitted Disclosures, Enforcement Updates

HIPAA Privacy Rule Modifications

HIPAA was never suspended during the COVID-19 Public Health Emergency. Instead, the Office for Civil Rights (OCR) issued time-limited Notifications of Enforcement Discretion to reduce compliance friction while care delivery and public health reporting scaled rapidly. These flexibilities did not change the Privacy Rule’s core standards for Protected Health Information; they temporarily adjusted how OCR prioritized enforcement.

Throughout the emergency, covered entities and business associates could continue to use and disclose PHI for treatment, public health reporting, and Health Oversight Activities. Disclosures to prevent or lessen a serious and imminent threat, to family and friends involved in a patient’s care, and to law enforcement in narrow circumstances remained permissible, subject to the minimum necessary standard and documentation requirements.

For operations, OCR emphasized practical safeguards even when exercising discretion: verify requestors’ authority, log non-routine disclosures, limit PHI shared through ad hoc workflows, and maintain reasonable administrative, physical, and technical protections consistent with the Security Rule.

Enforcement Discretion Expiration

OCR’s COVID-19 enforcement flexibilities were temporary. The Public Health Emergency ended on May 11, 2023, and OCR allowed its time-limited Notifications of Enforcement Discretion to sunset. These included discretion related to telehealth remote communications, community-based testing sites, business associate disclosures for certain public health and health oversight purposes, and web-based scheduling tools used for COVID-19 vaccination appointments.

After expiration, standard HIPAA requirements fully apply again. Notably, OCR’s telehealth enforcement discretion ended with a 90-day transition period that concluded on August 9, 2023. Entities should ensure any workflows that relied on those temporary flexibilities have been remediated, documented, and brought into alignment with routine HIPAA compliance expectations.

Reproductive Health Data Privacy

Separate from COVID-19, OCR finalized new protections for reproductive health information. The rule prohibits the use or disclosure of PHI to investigate or impose liability for seeking, obtaining, providing, or facilitating lawful reproductive health care. It also requires a targeted attestation before responding to certain requests for PHI potentially related to reproductive health care.

You must operationalize these changes by updating policies, procedures, workforce training, and your Notice of Privacy Practices to reflect the new prohibitions and attestation requirement. Compliance begins on staggered timelines starting in late 2024, with additional documentation and Notice of Privacy Practices updates due on later dates into 2026; plan and resource your project accordingly.

Telehealth Compliance Deadline

With the end of telehealth enforcement discretion on August 9, 2023, Telehealth Compliance returned to the standard HIPAA baseline. Using consumer-grade video apps under the “good faith” allowance is no longer sufficient. You must use vendors that will sign Business Associate Agreements and implement platform configurations that meet Security Rule expectations.

Actions to take now

• Complete and document a Security Risk Analysis focused on telehealth workflows, endpoints, identity verification, and data flows.
• Choose video and messaging platforms that provide end-to-end encryption, access controls, audit logging, and a Business Associate Agreement.
• Harden configurations: waiting rooms, unique session links, disabled auto-recordings, restricted file sharing, and defined retention settings.
• Update policies, contingency plans, and workforce training for remote care, including identity proofing and consent practices.
• Revise intake materials and your Notice of Privacy Practices to explain telehealth-specific uses and disclosures, where relevant.

Business Associate Disclosures

During the PHE, OCR allowed certain good-faith business associate disclosures for public health and health oversight even if not expressly permitted by the BAA. That discretion has expired. Today, a business associate may use or disclose PHI only as permitted by its Business Associate Agreement, as required by law, or as otherwise authorized by the Privacy Rule.

Covered entities should inventory vendors, tighten BAA scopes, and verify downstream subcontractor controls. Require written approval for non-routine disclosures, prohibit analytics or tracking uses that fall outside treatment, payment, or operations, and monitor for impermissible disclosures through logs and audits.

OCR Guidance on COVID-19 Disclosures

HIPAA has always permitted specific COVID-19-related disclosures. You may disclose PHI to public health authorities (for case reporting, contact tracing, and surveillance), to health oversight agencies (for audits and investigations), and to other providers for treatment. You may also disclose to persons at risk to prevent or lessen a serious and imminent threat, consistent with professional judgment and applicable law.

At the same time, avoid blanket or convenience releases. Verify the requestor’s authority, limit information to the minimum necessary for the purpose, and document non-routine decisions. For employer-related inquiries, remember HIPAA generally governs covered entities and business associates—not employers—so disclosures to an employer require a proper legal basis or a written authorization.

Enforcement of HIPAA Rules

Post-PHE, OCR has returned to full enforcement of the HIPAA Rules. Expect continued scrutiny of the Right of Access, Security Rule deficits (especially incomplete or outdated Security Risk Analysis and risk management), and impermissible disclosures to marketing or analytics technologies.

Resolution agreements typically require corrective action plans, monitoring, and sometimes civil monetary penalties under HIPAA’s tiered structure, which scales by culpability from lack of knowledge to willful neglect. State attorneys general may also enforce HIPAA and related state privacy laws. Strong governance, defensible documentation, and proactive risk management remain your best protection.

FAQs

What are the key HIPAA modifications related to COVID-19?

OCR issued temporary Notifications of Enforcement Discretion to facilitate care and reporting during the Public Health Emergency. These included flexibilities for telehealth, community-based testing, certain business associate disclosures for public health and Health Oversight Activities, and web-based vaccine scheduling tools. The modifications were time-limited enforcement policies—not changes to the underlying Privacy Rule—and they have now expired.

When did the enforcement discretion for telehealth expire?

OCR’s telehealth enforcement discretion ended with a 90-day transition period that concluded on August 9, 2023. Since then, telehealth must be delivered using HIPAA-compliant platforms, with Business Associate Agreements in place and Security Rule safeguards implemented.

How must covered entities update their Notice of Privacy Practices?

Update the Notice of Privacy Practices to reflect current law and OCR guidance, including the new reproductive health protections (e.g., prohibitions on using or disclosing PHI for investigations into lawful reproductive health care and the targeted attestation requirement). Clarify telehealth practices where relevant, refresh contact and complaint information, and redistribute/post the updated notice by the applicable compliance dates set by OCR.

What are the penalties for HIPAA violations post-COVID-19 emergency?

OCR has resumed full enforcement using HIPAA’s tiered civil monetary penalty framework, along with corrective action plans and monitoring. Penalties vary by culpability and may escalate for willful neglect or failure to correct. Violations can also trigger state enforcement and reputational harm, making timely remediation, thorough documentation, and a current Security Risk Analysis essential.