top of page


During this COVID-19 pandemic, the Office for Civil Rights (“OCR”) has issued guidance for health care providers and patients/residents easing some of the regulatory requirements under the HIPAA Privacy and Security Rules. OCR has created a special webpage at the following link which compiles this guidance –

Here are the highlights of the guidance:

  1. Telehealth Remote Communications: During the pandemic, covered health care providers subject to HIPAA can communicate with patients/residents, and provide telehealth services, through remote communications technologies – even in cases where the technologies may not fully comply with all HIPAA requirements. OCR will not impose penalties for HIPAA noncompliance in connection with the good faith provision of telehealth. For example, providers may use video chat applications such as Apple FaceTime, Facebook Messenger video chat, Zoom, Skype. However, some video communications are public facing and should not be used to provide telehealth—such as Facebook Live, Twitch, and TikTok.

  2. Disclosures to Law Enforcement, Paramedics, First Responders: OCR has stated that HIPAA allows a covered entity to disclose protected health information of an individual infected with, or exposed to, COVID-19, with law enforcement, paramedics, first responders, and public health authorities without an individual’s authorization, including when the disclosure is needed for treatment, when required by law, to notify a public health authority in order to prevent or control the spread of disease, and when first responders may be at risk of infection.

  3. Sharing Patient Information:

  • OCR reiterated that under the HIPAA Privacy Rule, a covered entity may disclose, without a patient/resident’s authorization, protected health information about a patient/resident as necessary to treat that individual or to treat a different patient/resident.

  • A covered entity may share protected health information with a patient/resident’s family members, relatives, friends, or others identified by the patient/resident as involved in that individual’s care. A covered entity may also share information as necessary to identify, locate, and notify family members and guardians of a patient/resident’s location, general condition, or both – which may include notifying family members and others, the police, the press, or the public at large.

  • Enforcement Discretion: OCR has announced that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rules against health care providers or business associates for the good faith uses and disclosures of protected health information by business associates for public health and health oversight activities during the pandemic. For example, business associates can now share COVID-19 related data with the Centers for Disease Control and Prevention, the Centers for Medicare and Medicaid Services, state/local health departments, and state emergency operations centers without the concern about HIPAA penalties.

If you have any questions about this Legal Briefing, please contact any attorney in our Firm at (585) 730-4773. Please note that any embedded links to other documents may expire in the future.


This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2020 Law Offices of Pullano & Farrow PLLC

For more Coronavirus Legal Updates, please visit our resource page.


bottom of page