On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency. Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.
Notification of Enforcement Discretion
Under HIPAA, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity (i.e., health plans, most health care providers and health care clearinghouses). Before a business associate can access a covered entity’s PHI, the business associate and the covered entity must enter into a business associate agreement (“BAA”) that stipulates what a business associate can and cannot do with the covered entity’s PHI. Generally, a business associate is prohibited from using or disclosing PHI except as necessary to perform services for the covered entity or as otherwise set forth in the BAA.
Under the HIPAA Privacy Rule, a business associate is only allowed to use and disclose PHI for public health and health oversight purposes if the BAA between the business associate and the covered entity expressly permits such a purpose. According to HHS, since the outbreak of COVID-19, federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from business associates, or requested that business associates perform public health data analytics on such PHI; however, some business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.
Doctors, scientists and public health authorities have stressed the importance of having up-to-date and comprehensive data surrounding the pandemic to accurately measure the extent and severity of COVID-19 and to assess the effectiveness of the response.  As business associates are often service providers with an expertise in data compilation and data analysis, allowing these entities to use and disclose PHI for the public health may be an important step in fully understanding the spread and effects of the virus.
Therefore, in order to facilitate the public health response, effective immediately, HHS will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule for uses and disclosures of PHI by business associates for public health and health oversight activities. Rather than forcing parties to amend their BAAs, HHS’ exercise of discretion will allow business associates to skip this step and immediately use and disclose PHI for public health and health oversight purposes related to COVID-19.
Limitations of the Enforcement Discretion
It is important to note that HHS’ notification is not a broad waiver of the use and disclosure requirements of the HIPAA Privacy Rule. Rather, HHS expressly states that the enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.” Thus, business associates must continue to comply with other provisions of the HIPAA Privacy and Security Rules, including the implementation of safeguards to ensure confidentiality and secure transmission of electronic PHI for any request for which this enforcement discretion applies.
Additionally, this enforcement discretion will be exercised if, and only if:
the disclosure or use is made in “good faith” for public health activities and health oversight activities; and
the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to ongoing uses or disclosures).
HHS has put forth certain examples of good faith uses or disclosures covered by the notification, which specifically reference public health authorities, such as the CDC, state and local health departments and CMS (or a similar oversight agency at the state level).
The issuance of this notification aligns with the general shift toward deregulation of the healthcare industry during the COVID-19 pandemic. The impetus behind this shift is to allow health care industry stakeholders more freedom to combat the pandemic as expeditiously as possible. We will continue to monitor regulations surrounding COVID-19 and the healthcare industry to evaluate whether the industry continues down a path of deregulation or if a new series of regulations are imposed following the pandemic’s end.