18 March 20203 minute read

US HHS issues waiver of certain HIPAA sanctions and penalties amidst COVID-19

Following declarations of a public health emergency and national emergency, the Secretary of the Department of Health and Human Services (HHS) has used its emergency authority under Section 1135 of the Social Security Act to waive sanctions and penalties for certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) for certain covered hospitals.  The waiver was issued and effective March 15 at 6:00 pm and is available on the HHS website.

The public health emergency was declared for the entire United States, so the waiver applies nationally.  However, it only applies to hospitals that have instituted a disaster protocol and it is only effective for 72 hours after the protocol is implemented.  Where these conditions are met, HHS will not enforce penalties or sanctions for noncompliance with the following obligations of the HIPAA Privacy Rule:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (42 CFR 163.510(b)).
  • The requirement to honor a request to opt out of the facility directory (42 CFR 164.510(a)).
  • The requirement to distribute a notice of privacy practices (42 CFR 164.520).
  • The patient’s right to request privacy restrictions (45 CFR 164.522(a)).
  • The patient’s right to request confidential communications (45 CFR 164.522(b)). 

Hospitals that have not instituted their disaster protocol and other HIPAA covered entities are still subject to standard penalties and sanctions for noncompliance.  The waiver is effective for 60 days or until termination of either the HHS declaration of public health emergency or the presidential declaration of national emergency.  The waiver’s termination will return covered hospitals to standard compliance requirements even if a hospital’s disaster protocol is still in force.  

The HHS bulletin issuing the waiver also reminds covered hospitals that HIPAA permits sharing of patient information under certain circumstances, including for treatment and public health purposes.   For more information on permissible disclosures to public health authorities, see our client alert HIPAA and the Coronavirus.


To learn more, please contact any members of the Healthcare team or your regular DLA Piper attorney.

Please visit our Coronavirus Resource Center and subscribe to our mailing list to receive alerts, webinar invitations and other publications to help you navigate this challenging time.