Message Sent To:All Faculty, All Staff, Student Workers
Message From:Message from Information Technology Services
Date Sent:Thursday, March 18, 2021 10:10 AM CDT

HIPAA Changes in 2020 Due to the COVID-19 Pandemic

March 18, 2021

Dear Faculty, Staff, and Student Workers,

These Health Insurance Portability and Accountability Act (HIPAA) updates are sent quarterly to keep you informed about Loyola University Chicago’s role in maintaining HIPAA compliance.

The COVID-19 pandemic has not resulted in any permanent changes to HIPAA, but it has seen unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates to treat and advise patients on the front line in the fight against COVID-19.

We want to remind you that, during emergency situations such as disease outbreaks, HIPAA rules remain in effect, and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased.

Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

The Notice of Enforcement Discretion in relation to COVID-19 was announced by the Office of Civil Rights (OCR) on March 17, 2020 and concerns the good faith provision of telehealth services:

  • The OCR is waiving potential penalties for HIPAA violations by healthcare providers that provide virtual care to patients through everyday communications technologies during the COVID-19 nationwide public health emergency. This means healthcare providers are permitted to use everyday communications tools to provide telehealth services to patients, even if those tools would not normally be considered fully HIPAA compliant.

  • Individual sessions on platforms such as FaceTime, Skype, Zoom, and Google Hangouts can be used in the good faith provision of telehealth services for patient consultations without penalty for the duration of the public health emergency. However, public-facing platforms such as TikTok and Facebook Live must not be used.

  • On April 2, 2020, the OCR announced it will be exercising enforcement discretion and will not impose sanctions and penalties on business associates of HIPAA covered entities for uses and disclosures of protected health information (PHI) for public health and health oversight activities.

For any further questions, please contact datasecurity@LUC.edu.


James Pardonek, MS, CISSP, CEH, GSNA
Associate Director
Chief Information Security Officer