Nextech Named 2024 Best in KLAS: Ambulatory Specialty EHR

«  View All Posts


COVID-19: HIPAA Compliance & Safeguarding PHI in a Pandemic

By: Nextech | April 13th, 2020

COVID-19: HIPAA Compliance & Safeguarding PHI in a Pandemic Blog Feature

The recent HIPAA Waiver that was included in the Coronavirus Preparedness and Response Supplemental Appropriations Act passed on March 15, 2020 has caused a bit of confusion among some in the healthcare community. Does this mean HIPAA rules do not apply for the duration of the COVID-19 pandemic? Are the rules for safeguarding PHI also suspended during this period? In this blog, we are going to offer our readers a closer look at the current state of HIPAA and PHI safeguards during the COVID-19 pandemic so everyone can stay secure and compliant.

Specifics of the HIPAA Waiver

In a recent blog, we discussed the COVID-19 HIPAA Waiver in terms of telehealth expansion. This part of the waiver applies to all HIPAA-covered entities and allows for the temporary use of non-HIPAA-compliant videoconferencing solutions to conduct telehealth patient visits. While the full text of the waiver also temporarily waives other parts of the HIPAA Privacy Rule, it is important for individual providers to note that these suspensions only apply to covered entities who are operating in a hospital environment as follows: (1) in the emergency room; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

Therefore, outside of the temporary exceptions being made for use in telehealth visits, the remaining HIPAA rules still apply to private practice and covered entities not seeing patients in a designated hospital environment. However, there is one other COVID-19-related waiver that, in very specific circumstances, applies to all providers in all environments. This one covers disclosure of PHI to first responders.

HIPAA Waiver for Disclosure to First Responders

A joint statement released by the ORC and HHS explains that the “HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to COVID-19, with law enforcement, paramedics, other first responders and public health authorities without the individual’s HIPAA authorization,” in the following situations:

  • When the disclosure is needed to provide treatment.
  • When such notification is required by law (for example, a covered entity can disclose the PHI of an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials).
  • To notify a public health authority in order to prevent or control spread of disease (for example, a covered entity can disclose the PHI of an infected or exposed individual to a public health authority such as the CDC).

HIPAA Privacy & Security Rules are Still in Effect

The abovementioned HIPAA exceptions and waivers aside, all PHI and ePHI safeguards (as stated in the HIPAA Privacy Rule and Security Rule) are still in full effect and must be followed. Therefore, the proper measures must continue to be observed, especially for those of you who are working from home during the pandemic. We encourage all of our readers to take the following PHI safeguarding precautions while working remotely:

  • Set up your workstation in a private or semi-private area of your home.
  • Lock your computer when away from the keyboard.
  • Obscure any PHI from potential view by unauthorized individuals.

Stay Calm & Keep Compliant

While HIPAA constraints have been temporarily relaxed during the COVID-19 health emergency, and violation penalties are waived under (very) specific circumstances, the rules for safeguarding the PHI of your patients are still in effect. While everyone is doing their best to remain calm and maintain social distancing during this unprecedented public health emergency, it is equally important to remember that the security and privacy of your patients’ PHI must be maintained as well.


The information provided in this blog article does not, and is not intended to, constitute legal or other advice; instead, all information, content, and materials are available for general informational purposes only. Information in this article may not constitute the most up-to-date legal, financial or other information. Readers should contact their attorney, financial, tax, or other advisor to obtain advice with respect to any particular matter. This article contains links to other third-party websites. Any such links are provided only for convenience and Nextech does not recommend or endorse the contents of any third-party sites.