COVID-19: HHS Permits Business Associates to Use and Disclose PHI for Public Health and Health Oversight Purposes Without Amending BAAs
The Department of Health and Human Services (HHS) announced on April 2 that HHS is exercising its enforcement discretion to permit business associates to use and disclose protected health information (PHI) for public health and health oversight purposes in accordance with HIPAA, even where not permitted by the applicable business associate agreement (BAA). See Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (Notification).
Specifically, HHS’ Notification states it will not take enforcement action against business associates – or the applicable covered entities – for uses and disclosures by business associates for public health and health oversight activities during the duration of the COVID-19 public health emergency if the business associate follows these parameters:
The use or disclosure is a good faith use or disclosure for public health activities or health oversight activities consistent with HIPAA’s requirements for such uses and disclosures at 45 C.F.R. § 164.512(b) and (d), and outlined in more detail below. Examples in the Notification include disclosures to (i) the CDC or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, or (ii) CMS, or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to a COVID-19 response; and
The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, if the use or disclosure will repeat over time).
Absent this enforcement discretion, the HIPAA Privacy Rule would only permit a business associate to use and disclose PHI for public health and health oversight purposes if expressly permitted by its BAA with a HIPAA covered entity. This would mean that many business associates would need to amend their BAAs with applicable covered entities before disclosing PHI to a public health authority or health oversight agency or performing data analytics for public health purposes related to the COVID-19 public health emergency. The process of amending a BAA takes time and would result in some business associates being “unable to timely participate” in efforts by public health and health oversight agencies, per the HHS Notification.
To try to alleviate this issue, the Notification permits business associates to make these uses and disclosures without amending the BAAs, subject to the requirements above. A more detailed summary of HIPAA’s exceptions for using and disclosing PHI for public health and health oversight activities follows.
Public Health Activities
HIPAA permits the use and disclosure of PHI for certain public health activities, including to the following:
A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, including, but not limited to, the reporting of disease, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; and
A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity.
Health Oversight Activities
HIPAA permits the disclosure of PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
The health care system;
Government benefit programs for which health information is relevant to beneficiary eligibility;
Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
Entities subject to civil rights laws for which health information is necessary for determining compliance.
“Health oversight agency” is defined to include a federal, state, or local government agency authorized by law to oversee the public and private health care system or government programs in which health information is necessary for determining eligibility or compliance, or to enforce civil rights laws for which health information is relevant. The definition includes the employees, agents, contractors, persons or entities acting under a grant of authority of such public agency. 45 C.F.R. § 164.501. Examples of health oversight agencies, in addition to CMS, can include for example, state Departments of Insurance, state Medicaid agencies, and state licensing boards for health care providers. See examples of “health oversight agencies” provided in HHS, Permitted Uses and Disclosures: Exchange for Health Oversight Activities (2017), released by HHS several years ago.
This Notification does not waive any other HIPAA requirements (including the requirements of the HIPAA Security Rule and Breach Notification Rule) or any requirements of other federal or state laws. This enforcement discretion begins immediately and will last until the Secretary of HHS declares the public health emergency is over or upon the expiration of the declared public health emergency, whichever occurs first.