What is HIPAA Enforcement Discretion?
HIPAA enforcement discretion occurs when the Secretary for Health and Human Services (HHS) announces the Department will exercise discretion in the enforcement of HIPAA Rules. The discretion can be temporary or permanent, region-specific or nationwide, or apply to some Rules but not others. Recent examples of when HIPAA enforcement discretion has been announced include:
- 2023 – Typhoon Mawar in Guam
- 2022 – Hurricane Ian in Florida and South Carolina
- 2022 – Kentucky Flooding Public Emergency
- 2021 – Texas Winter Storms Emergency
- 2021 – The HIPAA “Safe Harbor” Law
- 2020 – Wildfires in California and Oregon
- 2020 to 2023 – The COVID-19 Pandemic
- 2020 – Puerto Rico Earthquakes
- 2019 – Hurricane Dorian (Multiple States)
- 2018 – Hurricane Michael in Florida and Georgia
Most HIPAA Enforcement Discretion is Temporary and Region Specific
Under §1135 of the Social Security Act, the HHS Secretary has the authority to issue a Notice of Enforcement Discretion if the President declares an emergency or disaster and the Secretary declares the event a public health emergency. Typically, Notices of Enforcement Discretion last between 72 hours and 60 days, are state or region-specific and apply to specific provisions of the HIPAA Rules.
The Secretary can waive requirements or announce enforcement discretion in many different areas of healthcare. For example, the Secretary can waive the requirements for out-of-state healthcare professionals to be licensed before being allowed to practice, or exercise discretion when investigating violations of the physician self-referral law (§1877 of the Social Security Act).
In the context of HIPAA enforcement discretion, the Secretary can waive sanctions and penalties that result from non-compliance with the following standards of the Privacy Rule:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- 164.510 – Uses and disclosures of Protected Health Information requiring an opportunity for the individual to agree or object.
- 164.520 – The requirement to distribute a HIPAA Notice of Privacy Practices and obtain acknowledgment of receipt.
- 164.522 – The rights to request privacy protections for Protected Health Information and request confidential communications.
When the Secretary issues a Notice of HIPAA Enforcement Discretion, it only applies to the emergency area for the emergency period specified in the public health emergency declaration, and only to hospitals that have initiated a disaster protocol. A Notice of HIPAA Enforcement Discretion issued in these circumstances does not apply to health plans or business associates.
Nationwide Discretion Announced during the COVID-19 Pandemic
During the COVID-19 pandemic, healthcare providers had to deal with a nationwide public health crisis, the likes of which had never been seen before. The 2019 Novel Coronavirus (SARS-CoV-2) that caused COVID-19 forced healthcare providers to change normal operating procedures and workflows, reconfigure hospitals to segregate patients, open testing centers outside their usual facilities, work with new providers and vendors, and rapidly expand telehealth services.
To ensure the flow of essential healthcare information was not impeded by the HIPAA regulations during the public health emergency, the HHS’ Office for Civil Rights (OCR) issued multiple nationwide Notices of HIPAA Enforcement Discretion and announced that penalties and sanctions for noncompliance with certain provisions of the HIPAA Rules would not be imposed on healthcare providers for the good faith provision of healthcare services during the COVID-19 public health emergency.
Notice of Enforcement Discretion Covering Telehealth Remote Communications
With hospitals having limited capacity, and social distancing and self-isolation measures in place, healthcare providers rapidly expanded their telehealth and virtual care capabilities. The Centers for Medicare and Medicaid Services (CMS) also temporarily expanded telehealth options for all Medicare and Medicaid recipients.
To support healthcare providers, OCR announced a Notice of Enforcement Discretion covering telehealth remote communications for the duration of the public health emergency. Although some of the platforms used for providing these services were not fully compliant with HIPAA, OCR said it will not be imposing penalties for the use of these platforms during the public health emergency provided those platforms were non-public-facing.
Notice of Enforcement Discretion Covering Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities
The HIPAA Privacy Rule only permits business associates of HIPAA-covered entities to use and disclose PHI for public health and health oversight activities if it is specifically stated that they can do so in a business associate agreement (BAA) with a HIPAA-covered entity. Even in such cases, disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective of the disclosure.
On April 2, 2020, OCR issued a Notice of HIPAA Enforcement Discretion stating penalties would not be imposed on business associates for good faith disclosures of PHI for public health purposes to agencies such as the Centers for Disease Control and Prevention (CDC), CMS, state and local health authorities, and state emergency operations centers. In all cases, any use or disclosure of PHI must be reported to the covered entity within 10 days of the use or disclosure occurring.
Notice of HIPAA Enforcement Discretion for Community-Based Testing Sites
Additionally, enforcement discretion was exercised by OCR in connection with good faith participation in the operation of COVID-19 testing sites such as walk-up, drive-through, and mobile sites. The Notice of Enforcement Discretion covered all activities in testing centers that support the collection of specimens and testing of individuals for COVID-19.
Reasonable safeguards had to be implemented to protect patient privacy and the security of any PHI used or collected at these sites. The Notice did not apply to health plans or healthcare clearinghouses when they were performing health plan and clearinghouse functions, nor to healthcare providers or business associates that were not performing COVID-19 Community-Based Testing Site activities, even if those activities were performed at the testing sites.
Notice of Enforcement Discretion Covering Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
On January 19, 2021, OCR announced it would be exercising enforcement discretion and would not impose penalties or sanctions on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.
While HIPAA penalties would not be imposed, OCR encouraged HIPAA-covered entities and business associates to ensure that reasonable safeguards were implemented to ensure the privacy and security of healthcare data, such as the use of encryption, limiting data input into systems to the minimum necessary information, and activating all available privacy settings.
Sharing PHI About COVID-19 Patients with First Responders
As well as publishing several Notices of HIPAA Enforcement Discretion at the start of the COVID-19 public health emergency, OCR confirmed that the Privacy Rule permitted the sharing of PHI with first responders such as law enforcement, paramedics, public safety agencies, and others under certain circumstances, without first obtaining a HIPAA authorization from a patient.
OCR also confirmed that the HIPAA Privacy Rule permits disclosures of PHI for the provision of treatment (e.g., by a skilled nursing facility to medical transport personnel), when required to do so by law (such as to comply with state infectious disease reporting requirements), and to prevent or control disease, injury, or disability. The latter included disclosures for public health surveillance, and to public health authorities to help prevent or control the spread of disease.
PHI could – and still can – be disclosed to first responders who may be at risk of infection and to help prevent or lessen a serious and imminent threat to the health and safety of a person or the public. OCR explained that it is permissible to “disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.”
Enforcement Discretion to be Applied when Calculating Violation Penalties
In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise HIPAA enforcement discretion and take into consideration certain recognized security practices when determining potential fines and/or the length and extent of a corrective action plan or an audit in the event of a data breach.
To qualify for HIPAA enforcement discretion, an investigated covered entity or business associate must be able to demonstrate at least twelve months prior compliance with a recognized security framework. Although covered entities and business associates can implement a security framework that best meets the needs of the organization, OCR has recommended:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework,
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that address cybersecurity which are explicitly recognized by statute or regulation.
Despite the amendment coming into force more than two years ago, OCR has not yet published details of how discretion will be applied in the context of the HIPAA Enforcement Rule. In June 2022, the agency issued a Request for Information asking for comments from stakeholders on how HIPAA enforcement discretion should best be applied in such circumstances and has published a video detailing how HIPAA-regulated entities can demonstrate they have implemented recognized security practices, but has yet to publish a Notice of Proposed Rulemaking – the next step before any Rule is finalized.
Conclusion:
HIPAA compliance can be challenging at the best of times; but, during a public health emergency, compliance becomes more difficult – no matter how well prepared a healthcare provider is. The Department of Health and Human Services recognizes the issues that can occur when healthcare providers are prevented from delivering the best possible healthcare because of regulatory barriers and will exercise HIPAA enforcement discretion as and when necessary.
Nonetheless, it is important for covered entities – and business associates where applicable – to understand which Privacy Rule standards are subject to enforcement discretion, and which are not. It is also important for both covered entities and business associates to review their current Security Rule compliance in order to ensure they protect PHI from unauthorized and impermissible disclosures using a recognized security framework.
Healthcare providers who require further information about HIPAA compliance, which standards may be subject to HIPAA enforcement discretion, and what constitutes a recognized security framework should seek professional compliance advice.
