25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Can HIPAA be Waived?

Posted By on Dec 7, 2024

Although HIPAA cannot be waived in its entirety, some provisions of the Privacy Rule can be waived in certain circumstances for a limited time – either locally or nationally, or for certain types of medical facilities during certain types of event.

HIPAA is a Act that includes more than just the Administrative Simplification provisions (Privacy Rule, Security Rule, Breach Notification Rule, etc.). For HIPAA to be waived in its entirety, this would mean the health insurance portability provisions would be waived, the tax benefits of medical savings accounts would be waived, and changes to the COBRA continuation provisions would be rolled back.

However, under §1135 of the Social Security Act, the Secretary for Health and Human Services has the authority to “temporarily waive or modify the application of” certain provisions of the Social Security Act and the HIPAA Privacy Rule during an emergency or disaster, provided the emergency or disaster has been declared by the President and the Secretary declares a Public Health Emergency.

What Provisions of the Privacy Rule Can be Waived?

In the context of answering the question can HIPAA be waived, when the conditions mentioned above are met, the Secretary can waive Privacy Rule provisions relating to:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • The requirement to give patients an opportunity to agree or object to inclusion in a facility directory or notifying family and friends (§164.510)
  • The requirement to provide a Notice of Privacy Practices and obtain a written confirmation the Notice has been received (§164.520)
  • Patients´ rights to request restrictions on the uses and disclosures of PHI and request confidential communications (§164.522)

The waiving of compliance requirements – or how they are applied – does not have to be nationwide. In 2005, the Secretary of Health and Human Services announced a waiver of the above Privacy Rule provisions for Covered Entities and Business Associates located in Gulf States in order to accelerate the emergency response to Hurricane Katrina.

Associate Agreements also Waived during Katrina

The Secretary also announced that the Department of Health and Human Services (via the Office for Civil Rights) would not pursue enforcement action in response to complaints about unauthorized uses and disclosures of Protected Health Information (PHI), if the unauthorized use or disclosure of PHI would have been permissible had a Business Associate Agreement been in place.

The effective waiving of this HIPAA provision was conditional on verbal agreements between Covered Entities and the organizations to which PHI was disclosed that PHI would be used to help hurricane evacuees. Ultimately, it enabled federal rescue teams to access prescription, Medicare, Veterans Affairs, and EHR records to establish a database of more than 800,000 people.

Waivers of HIPAA during the COVID-19 Pandemic

During the COVID-19 pandemic, multiple HIPAA waivers, notices of enforcement discretion, and CMS “flexibilities” were issued – many of which are still in place. Again, the HIPAA waivers and notices of enforcement discretion were conditional and only applied to certain healthcare activities such as telemedicine, community-based testing sites, and appointment booking for COVID-19 vaccinations.

The CMS´ flexibilities were even more granular, with different provider-specific waivers for physicians, teaching hospitals, hospices, laboratories, and ambulance services among many others. Additionally, CMS issued flexibilities per Medicare State Plan to address issues relating to coverage, eligibility, reimbursements, and program administration.

Waivers of HIPAA for Research Purposes

In addition to waivers of HIPAA during emergencies and disasters, the Privacy Rule also allows for waivers of HIPAA for research purposes – specifically when an Institutional Review Board or Privacy Board authorizes a use or disclosure of PHI without the authorization of the patient to whom it relates. The multiple conditions attached to this waiver can be found in §164.512(i).

In most cases, a waiver or “Alteration of Authorization” can only be requested by researchers when they are unable to use deidentified health information and the research could not practicably be conducted if research participants’ authorizations were required. However, the process for obtaining HIPAA waivers of this nature vary depending on whether the participants are patients of a Covered Entity, or the research material is being obtained from a third-party source.

Author: Owen Bates is an Contributing Editor and HIPAA Subject Matter Expert at The HIPAA Journal, having joined the publication in November 2024. He researches HIPAA compliance topics and writes authoritative reference articles that help readers understand complex regulatory requirements in a clear and practical way. He also reviews and updates existing content to reflect changes to HIPAA regulations, helping ensure the accuracy and relevance of published material. In addition to his editorial work, Owen contributes as a reviewer and tester of The HIPAA Journal Training courses, supporting the development of high-quality educational content. He also advises The HIPAA Journal’s clients on best practices for HIPAA implementation and enforcement. Owen is a psychology graduate of Westmont College, California.

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist