HIPAA enforcement discretion allows healthcare providers flexibility during emergencies and public health crises. Healthcare providers can waive certain HIPAA requirements to deliver essential care while maintaining patient privacy and security.
Understanding HIPAA enforcement discretion
HIPAA enforcement discretion occurs when the HHS Secretary declares that the Department will exercise flexibility in enforcing HIPAA Rules. This discretion can be temporary or permanent, region-specific or nationwide.
It is typically announced in response to emergencies or disasters threatening public health. The HHS Secretary has the authority to issue a Notice of Enforcement Discretion under §1135 of the Social Security Act when the President declares an emergency and the Secretary declares it a public health emergency.
Read more: Understanding and implementing HIPAA rules
Parameters of enforcement discretion
Most instances of HIPAA enforcement discretion are temporary and region-specific. When the Secretary issues a Notice of HIPAA Enforcement Discretion, it applies only to the emergency area and the specified period. It is important to note that discretion does not apply to health plans or business associates but only to hospitals that have initiated a disaster protocol.
Waiving Requirements and Sanctions
During periods of HIPAA enforcement discretion, certain requirements and sanctions may be waived. The Secretary can exercise control in waiving the following standards of the Privacy Rule:
- 164.510 - Uses and disclosures of protected health information requiring an opportunity for the individual to agree or object.
- 164.520 - The requirement to distribute a HIPAA notice of privacy practices and obtain acknowledgment of receipt.
- 164.522 - The right to request privacy protections for protected health information and confidential communications.
Read more: Is HIPAA waived during natural disasters?
Uses and disclosures of PHI
The HIPAA Privacy Rule permits business associates to use and disclose protected health information (PHI) for public health and oversight activities only if stated in a business associate agreement (BAA) with a covered entity.
During the COVID-19 public health emergency, OCR issued a Notice of HIPAA Enforcement Discretion stating that good-faith disclosures of PHI for public health purposes to authorized agencies, such as the Centers for Disease Control and Prevention (CDC), would not result in penalties. However, any use or disclosure of PHI must be reported to the covered entity within 10 days.
See more:
Sharing PHI with first responders
During a public health emergency, OCR clarified that the HIPAA Privacy Rule permits sharing PHI with first responders under certain circumstances. This includes sharing PHI with law enforcement, paramedics, and public safety agencies without obtaining prior patient authorization. The goal is to prevent or control disease, injury, or disability and ensure the health and safety of individuals and the public.
Read more: Sharing patient information with authorization
Impact on penalty calculation
In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise enforcement discretion when calculating potential fines and the length of corrective action plans or audits following a data breach.
Covered entities and business associates can qualify for enforcement discretion by demonstrating at least twelve months prior compliance with a recognized security framework. The HHS has recommended using the National Institute of Standards and Technology (NIST) Cybersecurity Framework or other programs recognized by statute or regulation.
Examples of HIPAA enforcement discretion
HIPAA enforcement discretion has been exercised in various situations, both natural disasters and public health emergencies. Some recent examples include:
- 2023 - Typhoon Mawar in Guam
- 2022 - Hurricane Ian in Florida and South Carolina
- 2022 - Kentucky Flooding Public Emergency
- 2021 - Texas Winter Storms Emergency
- 2020 - Wildfires in California and Oregon
- 2020 to 2023 - The COVID-19 Pandemic
- 2020 - Puerto Rico Earthquakes
- 2019 - Hurricane Dorian (Multiple States)
- 2018 - Hurricane Michael in Florida and Georgia
Go deeper:
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
