HHS has announced that it is issuing a limited waiver of HIPAA sanctions and penalties during the COVID-19 outbreak. The waiver, effective March 15, applies to noncompliance by covered hospitals with the following provisions of the HIPAA Privacy Rule: (1) obtaining a patient's agreement to speak with family members or friends involved in the patient’s care; (2) honoring a request to opt out of the facility directory; (3) distributing a notice of privacy practices; (4) the patient's right to request privacy restrictions; and (5) the patient's right to request confidential communications. The waiver only applies to hospitals that have instituted a disaster protocol in emergency areas for 72 hours after the hospital has implemented the disaster protocol. European data protection authorities in several countries, including Spain, Luxembourg, and Switzerland, have also addressed patient privacy in light of the COVID-19 global pandemic by releasing guidance on the issue.