Skip to main content

Articles & Insights

rolling hills

Limited Waiver of HIPAA Sanctions and Penalties

March 17, 2020

Effective as of March 15, 2020, HHS Secretary Alex Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).• the patient’s right to request confidential communications. See 45 CFR 164.522(b). The waiver only applies:(1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.  A hospital must comply with all the requirements of the Privacy Rule for any patient still under its care, when the Presidential or Secretarial declaration terminates – even if 72 hours have not elapsed since implementation of its disaster protocol. Read more here: the Waiver or Modification of Requirements under Section 1135 of the Social Security Act as the result of the consequences of the 2019 Novel Coronavirus at: information about how the HIPAA Privacy Rule applies in an emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page <> or you may use the HIPAA Disclosures for Emergency.Preparedness Decision Tool <>For more information on COVID-19, please visit:  https://www.coronavirus.go


Tricia L. Hoffman-Simanek

Back to All Posts

This website uses cookies for analytics, personalization and advertising. By continuing to browse, you agree to our use of cookies.