HIPAA in the time of Covid-19

June 25, 2020  |  David Smith

The global cases of Novel Coronavirus are continually ticking upward in most parts of the world, and with every new case come further questions about the patients. Hospitals, governments and even general population is interested to know who the affected people are, what their health history is, which locations they visited, and who they interacted with prior to receiving positive test results. In a time when it is actually important to know answers to these questions, the biggest hurdle for health authorities is the Health Insurance Portability and Accountability Act (HIPAA), which is a regulation to safeguard a patient’s healthcare information from impermissible or unauthorized use and disclosure. Healthcare providers cannot make an individual’s information public without their written consent, unless it is critical for the public’s protection or the patient’s treatment.

In case of Covid-19, where HIPAA regulation may limit what can be shared about a patient, it may create difficulty for public health agencies to trace the recent contacts and possible spread of virus. At the same time, sharing information such as names of Corona-positive cases can also lead to unwanted attention and harassment.

In the light of this current pandemic, the Office of Civil Rights (OCR), the body responsible for the enforcement of HIPAA, has issued notices regarding the relaxation in some of the HIPAA requirements to allow health practitioners to focus their resources on patient care. Though these requirements have not been suspended due to Covid-19, but violation of some of them while the pandemic lasts will not lead the subject to face non-compliance issues. 

Let us look at some of the HIPAA requirements relaxed during the time of Covid-19.


In view of social distancing, healthcare providers treating their patients via telehealth will not be subject to any penalty for violating HIPAA rules. Doctors using video or audio communication to provide telehealth service can use any audio or video non-public facing device for communicating with patients, irrespective of security precautions. This discretion is for telehealth consultation provided for all sorts of treatments, and is not only for treating corona patients.

Doctors and healthcare professionals can, therefore, use web and mobile apps using internet services such as Excede Internet, and conduct non-public facing chats including Facebook messenger, Facetime, Skype, or Google Hangouts without the risk of penalty for being noncompliant with HIPAA rules. OCR has also stated that such health care providers will not be penalized for not having Business Associate Agreement with these application vendors.

First responders

The OCR has issued guidelines to help first responders to receive Protected Health Information (PHI) of corona infected or exposed individuals. The guidelines clarify how first responders may disclose the minimum required PHI such as names or other identification to paramedics, law enforcement, or other first responders; in cases where they are required to take precautions or wear personal protective equipment.

This can be done in situations such as when it is necessary to treat a patient, when the law requires it, for notifying a public health authority, when first responders are at risk of getting infection, and for preventing or reducing an impending health and safety hazard. However, under no circumstances are health authorities allowed to make this information publicly available.

Business associates

OCR will not impose a penalty on healthcare providers and their business associates for violating certain HIPAA provisions where the intention is good faith and disclosure of Public Health Information for the sake of public health activities. This discretion aims to support health oversight agencies and public health authorities, state emergency operation centers and health departments that need accessibility to Covid-19 data but had trouble getting hands on such data while it was with business associates.

According to HIPAA rules, covered entities can already provide this data. But with this relaxation, business associates can now also share the data without the risk of being penalized and irrespective of the terms of Business Associate Agreement. Once this information is disclosed, the business associate has to notify the covered entity within ten days and document the notification.

Covid-19 community based testing site

HIPAA rules are also relaxed for covered entities and business associates that are participating in good faith in the operation of Covid-19 Community based Testing Site (CBTS). This notification serves to support healthcare professionals who want to take part in a CBTS operation such as drive-through, mobile or walk-up sites providing coronavirus testing or specimen collection service to the public.

However, healthcare providers still have to implement all maximum possible measures to safeguard the individual’s PHI. For instance, they are recommended to set up a barrier or canopy to give privacy to individuals during testing process and create distancing to minimize the chances of other individuals overhearing interactions during screening.

Final thoughts…

It is imperative to consider that HIPAA rules were launched more than two decades ago. With increased volumes of healthcare data over the past 20 years and now with further data saturation during the Covid-19 pandemic, it won’t be wrong to say that most of this data falls outside of HIPAA jurisdiction. It now remains to be seen if government develops a new health regulatory scheme for the coming years or not.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial