medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
resolution agreement

HIPAA and COVID-19Corrective action / RA

Resolution

Penalty

Corrective action / RA

Action type

Resolution agreement

Entity profile

Case number

What went wrong

HIPAA and COVID-19

  • Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process En

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality HIPAA and COVID-19 The HHS Office for Civil Rights (OCR) has provided Bulletins, Notifications of Enforcement Discretion, Guidance, and Resources that help explain how patient health information may be used and disclosed in response to the COVID-19 nationwide public health emergency.OCR HIPAA Announcements Related to COVID-19:OCR Announces Expiration of COVID-19 PHE HIPAA Notifications of Enforcement Discretion - April 11, 2023HHS Issues Guidance on HIPAA and Audio-Only Telehealth - June 13, 2022OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace - September 30, 2021OCR Announces Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications for the Scheduling of COVID-19 Vaccination Appointments - January 19, 2021OCR Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes - December 18, 2020Trump Administration Adds Health Plans to June 2020 Plasma Donation Guidance - August 24, 2020OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities - June 12, 2020OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities - May 5, 2020OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency - April 9, 2020OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency - April 2, 2020OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency - March 28,2020OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19 - March 24, 2020OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion - March 20, 2020OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency - March 17, 2020Notifications of Enforcement DiscretionNotice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health EmergencyNotification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications for the Scheduling of COVID-19 Vaccination AppointmentsCriterio de aplicación en conexión con aplicaciones de planificación electrónica para la programación de citas para la vacunación contra el COVID-19 durante la emergencia de salud pública nacional por el COVID-19Notification of Enforcement Discretion for Community-Based Testing SitesNotificación de discreción para los centros comunitarios de pruebasNotification of Enforcement Discretion for Business AssociatesNotificación de discreción para asociados de negociosNotification of Enforcement Discretion for TelehealthNotificación de discreción para telemedicinaGuidanceGuidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth - June 13, 2022Guidance on HIPAA, COVID-19 Vaccination, and the Workplace - September 30, 2021Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes - December 18, 2020HIPAA, Centrales de Información de Salud y Divulgación de Información de Salud Protegida para fines relacionados con la salud públicaUpdated Guidance on HIPAA and Contacting Former COVID-19 Patients about Plasma Donation - August 2020Guía actualizada sobre HIPAA y contacto con ex pacientes de COVID-19 sobre la donación de plasma - agosto de 2020Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their FacilitiesOrientación sobre proveedores de atención médica cubiertos y restricciones sobre el acceso de los medios a la información médica protegida sobre las personas en sus instalacionesDisclosures of PHI to Law Enforcement, Paramedics, Other First Responders and Public Health AuthoritiesRevelación de información a funcionarios de la ley, paramédicos, otros socorristas y las autoridades de salud públicaFAQs on HIPAA and TelehealthPreguntas frecuentes sobre telemedicina y HIPAABulletinsMarch 2020 Civil Rights, HIPAA, and COVID-19 BulletinBoletín informativo de marzo de 2020 - Derechos Civiles, la ley HIPAA y la enfermedad del coronavirus 2019 (COVID-19)March 2020 HIPAA and COVID-19 BulletinMarzo de 2020 Boletín informativo sobre el COVID-19 y la Ley HIPAAFebruary 2020 HIPAA and Novel CoronavirusFebrero de 2020: la Norma de Privacidad de la ley HIPAA y el nuevo coronavirusResourcesWebinar: OCR Update on HIPAA and COVID-19 — April 24, 2020VIDEO: https://youtu.be/2C6iOdS_FR0SLIDES: https://go.usa.gov/xvExS [PDF - 1 MB]For more information about the release of protected health information for planning or response activities in emergency situations, please visit the HIPAA Emergency Preparedness page.To learn more about civil rights during COVID-19, please visit Civil Rights and COVID-19.For more information about how nondiscrimination laws apply during an emergency, please visit the Civil Rights Emergency Preparedness page. Content last reviewed April 26, 2023

Timeline

  • Resolution
  • Incident and investigation milestones are not consistently published by OCR in machine-readable form.

Key takeaways for your organization

  • Treat internet-facing systems and vendor-hosted environments as in-scope for HIPAA risk analysis and technical safeguards testing.
  • Maintain an actionable risk analysis tied to remediation milestones; evidence should map to Security Rule implementation specifications.
  • Align policies, procedures, and evidence with the specific CFR provisions cited in OCR resolutions affecting your entity type.
  • Run tabletop exercises for breach response, OCR inquiry handling, and privilege-preserving communications with counsel.

Related actions

Security Rule NPRM

Summary of the Security Rule

Security Guidance

Source

U.S. Department of Health and Human Services release

Source: U.S. Department of Health and Human Services, Office for Civil Rights. medcomply.ai aggregates public materials for educational use — not legal advice.