HIPAA Rules During a Public Health Emergency: What Changes and What Stays the Same

During a declared emergency, you still have to balance rapid response with strong privacy safeguards. This guide explains HIPAA rules during a public health emergency—what changes and what stays the same—so you can act quickly while maintaining emergency public health compliance.

HIPAA Enforcement Discretion During Emergencies

“Enforcement discretion” means the Office for Civil Rights (OCR) may choose not to impose penalties for certain good‑faith actions taken during a crisis. It does not rewrite the HIPAA rules; it temporarily adjusts how OCR applies them to facilitate urgent care and coordination.

Limited HIPAA Privacy Rule waivers

Under section 1135 of the Social Security Act, HHS may issue narrow HIPAA Privacy Rule waivers for hospitals that activate a disaster protocol in the emergency area. For up to 72 hours from activation, OCR may waive sanctions and penalties for failing to:

• Obtain a patient’s agreement to speak with family or friends involved in care.
• Honor a request to opt out of a facility directory.
• Distribute the Notice of Privacy Practices or document acknowledgment.
• Honor a request for privacy restrictions.
• Honor a request for confidential communications.

These HIPAA Privacy Rule waivers are limited in scope and time. After the waiver window closes—or if a facility has not activated its disaster protocol—full compliance resumes.

What is never waived

• The HIPAA Security Rule’s safeguards for electronic PHI remain in force.
• The Breach Notification Rule continues to apply.
• Minimum necessary standards still apply to most disclosures (not to treatment).
• Business associate obligations remain unless OCR explicitly announces discretion.

Core Privacy Protections During Emergencies

HIPAA is designed to function during crises. You may use and disclose PHI for treatment, payment, and health care operations without special permissions. The minimum necessary rule continues to apply to non‑treatment disclosures, and you must keep reasonable administrative, physical, and technical safeguards in place.

HIPAA also allows protected health information disclosure without authorization for specific purposes, including required-by-law disclosures, public health reporting, health oversight, averting a serious and imminent threat, and disaster relief information sharing with entities that help locate or notify family members.

Telehealth Services Flexibilities

During the COVID‑19 emergency, OCR announced telehealth enforcement discretion to ensure patients could receive care remotely. Clinicians could use non‑public‑facing communication tools in good faith for telehealth, even if the platform was not fully HIPAA‑configured or a business associate agreement was not in place.

While that flexibility supported access, providers were encouraged to prefer HIPAA‑ready platforms, enable encryption, verify patient identity, and limit on‑screen PHI to what is necessary. The underlying Privacy and Security Rules continued to guide patient confidentiality, documentation, and risk management.

Public‑facing livestreaming tools were never appropriate for telehealth. Platforms that offer access controls and end‑to‑end encryption better align with HIPAA’s safeguard expectations, even during periods of discretion.

Expiration of Enforcement Discretion

OCR’s telehealth enforcement discretion tied to the federal COVID‑19 emergency ended on May 11, 2023. OCR provided a 90‑day transition to restore full compliance, which concluded on August 9, 2023. After those dates, covered entities and business associates must use HIPAA‑compliant telehealth solutions and standard workflows.

Other emergency flexibilities likewise sunset when a declared emergency ends or when OCR specifies an earlier end date. Always confirm current status before relying on any announced discretion in a new event.

Disclosure of Protected Health Information During Emergencies

HIPAA expressly supports public health authority access when necessary to control disease, injury, or disability. You may disclose PHI to federal, state, territorial, or local public health agencies for surveillance, investigations, and interventions—subject to the minimum necessary standard.

Common patient confidentiality exceptions that apply

• To public health authorities for reporting, contact tracing, and interventions.
• To persons at risk of contracting or spreading a disease, if permitted by law.
• To family, friends, or others involved in care when, in your professional judgment, it is in the patient’s best interests.
• To disaster relief organizations to coordinate notification and reunification.
• To avert a serious and imminent threat to health or safety.
• When required by law (for example, certain injury or exposure reports).

Document what you disclose, who received it, and the purpose. Apply minimum necessary, rely on official requests when appropriate, and use secure channels to maintain patient confidentiality.

Compliance Transition for Telehealth

If you used interim tools during the emergency, you should complete a return‑to‑compliance plan. Focus on security hardening, vendor diligence, and policy alignment with the Privacy, Security, and Breach Notification Rules.

Practical steps to finalize compliance

• Select a HIPAA‑compliant telehealth platform and execute a business associate agreement.
• Perform or update your enterprise‑wide risk analysis; remediate gaps and document decisions.
• Configure encryption in transit and at rest, access controls, logging, and timeout settings.
• Update policies, consent and notice language, and telehealth intake scripts.
• Train workforce members on telehealth privacy, verification, and screen‑sharing hygiene.
• Retire noncompliant apps, revoke residual access, and update your asset inventory.
• Test incident response and breach reporting workflows for remote‑care scenarios.

Emergency Patient Privacy Rights

Patients retain core rights during emergencies. They can access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, and request restrictions or confidential communications. Any short‑term waiver of directory or communication rules is narrow and time‑limited; once it expires, standard rights resume.

Inform patients how their information may be used for treatment, public health activities, and disaster relief. Clear communication builds trust while enabling the protected health information disclosure necessary to manage an evolving crisis.

Bottom line: Emergencies can change how HIPAA is enforced, but they do not erase core protections. Use the permitted pathways for public health reporting and emergency coordination, apply minimum necessary, secure your systems, and return promptly to full compliance when discretion ends.

FAQs.

What HIPAA provisions are waived during public health emergencies?

Only narrow HIPAA Privacy Rule waivers may apply, typically for hospitals that activate a disaster protocol in the emergency area. For up to 72 hours, OCR may waive penalties for failing to obtain agreement to speak with family/friends, honor a facility directory opt‑out, distribute or document the Notice of Privacy Practices, or honor requests for restrictions or confidential communications. These are targeted, time‑limited HIPAA Privacy Rule waivers—not a blanket suspension of HIPAA.

How does HIPAA protect patient privacy during emergencies?

HIPAA continues to protect privacy while allowing essential care and coordination. You can use and disclose PHI for treatment, payment, and operations; share with public health authorities; and disclose to avert a serious and imminent threat—all under the minimum necessary standard and with reasonable safeguards. The Security and Breach Notification Rules remain fully in effect.

What changes occurred for telehealth services under HIPAA?

During the COVID‑19 emergency, OCR exercised telehealth enforcement discretion so providers could use non‑public‑facing tools in good faith, even without full HIPAA configurations or a business associate agreement. Public‑facing platforms were still inappropriate, and providers were encouraged to adopt HIPAA‑ready solutions with encryption and access controls.

When did HIPAA enforcement discretion for telehealth expire?

OCR’s telehealth enforcement discretion ended on May 11, 2023, with a 90‑day transition period that closed on August 9, 2023. After those dates, covered entities and business associates must use HIPAA‑compliant telehealth platforms and standard HIPAA processes.