What is HIPAA Enforcement Discretion?
HIPAA enforcement discretion is one of several options available to the Secretary for Health and Human Services (HHS) during public health emergencies to ensure that healthcare services continue to be available to affected individuals, and that healthcare providers can continue providing a service – even when it is not possible for healthcare providers to comply with all applicable healthcare regulations.
Under §1135 of the Social Security Act, the HHS Secretary has the authority to issue a Notice of Enforcement Discretion if the President declares an emergency or disaster and the Secretary declares the event a public health emergency.
A Notice of Enforcement Discretion allows the Secretary to waive multiple federal healthcare requirements in the emergency area for the duration of the emergency period identified in the public health emergency declaration.
For example, the Secretary may waive Medicare and Medicaid conditions of participation, allow licensed healthcare professionals to practice across state lines, or permit the transfer of patients who have not yet been stabilized contrary to the Emergency Medical Treatment and Labor Act (EMTALA).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Emergency HIPAA Enforcement Discretion
In the context of HIPAA enforcement discretion due to a public health emergency, the Secretary can waive sanctions and penalties that result from non-compliance with the following standards of the Privacy Rule:
- 164.510 – Uses and disclosures of Protected Health Information requiring an opportunity for the individual to agree or object.
- 164.520 – The requirement to distribute a HIPAA Notice of Privacy Practices and obtain acknowledgment of receipt.
- 164.522 – The right to request privacy protections for Protected Health Information and request confidential communications.
The first of these waivers allows healthcare providers to speak with family members or friends to determine – for example – a patient’s blood type, whether a patient has a pre-existing condition, or whether the patient has been prescribed medications that may interact with emergency medications.
When the Secretary issues a Notice of HIPAA Enforcement Discretion, it only applies to healthcare providers who are members of a hospital workforce when the hospital has initiated a disaster protocol. A Notice of HIPAA Enforcement Discretion issued in these circumstances does not apply to health plans or business associates.
Emergency HIPAA enforcement discretion typically lasts between 72 hours and 60 days, is state or region-specific, and applies to only the three standards of the HIPAA Privacy Rule mentioned above. Recent examples of when HIPAA enforcement discretion has been announced include:
- 2025 – Severe Storms and Flooding in Texas
- 2025 – Wildfires in California
- 2024 – Hurricane Milton in Florida
- 2024 – Hurricane Helene (Multiple States)
- 2023 – Typhoon Mawar in Guam
- 2022 – Hurricane Ian in Florida and South Carolina
- 2022 – Kentucky Flooding Public Emergency
- 2021 – Texas Winter Storms Emergency
- 2021 – The HIPAA “Safe Harbor” Law
- 2020 – Wildfires in California and Oregon
- 2020 to 2023 – The COVID-19 Pandemic
- 2020 – Puerto Rico Earthquakes
Non-Emergency HIPAA Enforcement Discretion
Not all HIPAA-related discretionary activities are attributable to public health emergencies. The HHS’ Centers for Medicare and Medicaid Services (CMS) has the authority to exercise discretion when enforcing Part 162 of the HIPAA Administrative Simplification Regulations (the HIPAA Transactions and Code Sets Rules), while the HHS’ Office for Civil Rights has been instructed to exercise discretion when calculating penalties for HIPAA violations and data breaches.
HIPAA Transaction and Code Sets Enforcement Discretion
The CMS’ authority to exercise HIPAA enforcement discretion is rarely used. When it is, the agency tends to allow organizations to delay the implementation of a specific standard or transaction code subject to other requirements being fulfilled.
For example, in 2024, CMS published a Notice of Enforcement Discretion for covered entities that chose not to use the X12 278 standard for obtaining prior authorizations, provided they had implemented an FHIR-based Prior Authorization API.
Unlike Notices of Enforcement Discretion issued during a public health emergency, CMS’ HIPAA enforcement discretion does not have a firm end date. This is to encourage covered entities to adopt FHIR-based APIs – which are more modern and flexible than legacy X12 278 transactions – without risk of penalties for violating Part 162 of the HIPAA Administrative Simplification Requirements.
Discretion to be Exercised when Calculating HIPAA Penalties
In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise discretion and take into consideration certain recognized security practices when determining potential fines and/or the length and extent of a corrective action plan or an audit in the event of a HIPAA violation or data breach.
To qualify for discretion, an investigated covered entity or business associate must be able to demonstrate at least twelve months prior compliance with a recognized security framework. Although covered entities and business associates can implement a security framework that best meets the needs of the organization, the HHS’ Office for Civil Rights has recommended:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework,
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that address cybersecurity which are explicitly recognized by statute or regulation.
Despite the amendment coming into force more than four years ago, the HHS’ Office for Civil Rights has not yet published details of how discretion will be exercised in the context of the HIPAA Enforcement Rule.
In June 2022, the agency issued a Request for Information asking for comments from stakeholders on how discretion should be exercised in such circumstances and has published a video detailing how HIPAA-regulated entities can demonstrate they have implemented recognized security practices, but has yet to publish a Notice of Proposed Rulemaking – the next step before any Rule is finalized.
Conclusion:
HIPAA compliance can be challenging at the best of times; but, during a public health emergency, compliance becomes more difficult – no matter how well prepared a healthcare provider is. The Department of Health and Human Services recognizes the issues that can occur when healthcare providers are prevented from delivering the best possible healthcare because of regulatory barriers and will exercise HIPAA enforcement discretion as and when necessary.
It is important for covered entities, and business associates where applicable, to understand which Privacy Rule standards are subject to HIPAA enforcement discretion, and which are not. It is also important for both covered entities and business associates to review their current Security Rule compliance in order to ensure they protect PHI from unauthorized and impermissible disclosures using a recognized security framework.
Healthcare providers who require further information about HIPAA compliance, which standards may be subject to HIPAA enforcement discretion, and what constitutes a recognized security framework should seek professional compliance advice.
