June 6, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

June 03, 2020

Subscribe to Latest Legal News and Analysis

HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency

On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency.  Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.

Notification of Enforcement Discretion

Under HIPAA, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity (i.e., health plans, most health care providers and health care clearinghouses).  Before a business associate can access a covered entity’s PHI, the business associate and the covered entity must enter into a business associate agreement (“BAA”) that stipulates what a business associate can and cannot do with the covered entity’s PHI.  Generally, a business associate is prohibited from using or disclosing PHI except as necessary to perform services for the covered entity or as otherwise set forth in the BAA.

Under the HIPAA Privacy Rule, a business associate is only allowed to use and disclose PHI for public health and health oversight purposes if the BAA between the business associate and the covered entity expressly permits such a purpose.  According to HHS, since the outbreak of COVID-19, federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from business associates, or requested that business associates perform public health data analytics on such PHI; however, some business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

Doctors, scientists and public health authorities have stressed the importance of having up-to-date and comprehensive data surrounding the pandemic to accurately measure the extent and severity of COVID-19 and to assess the effectiveness of the response. [1]  As business associates are often service providers with an expertise in data compilation and data analysis, allowing these entities to use and disclose PHI for the public health may be an important step in fully understanding the spread and effects of the virus.

Therefore, in order to facilitate the public health response, effective immediately, HHS will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule for uses and disclosures of PHI by business associates for public health and health oversight activities. Rather than forcing parties to amend their BAAs, HHS’ exercise of discretion will allow business associates to skip this step and immediately use and disclose PHI for public health and health oversight purposes related to COVID-19.

Limitations of the Enforcement Discretion

It is important to note that HHS’ notification is not a broad waiver of the use and disclosure requirements of the HIPAA Privacy Rule.  Rather, HHS expressly states that the enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.”  Thus, business associates must continue to comply with other provisions of the HIPAA Privacy and Security Rules, including the implementation of safeguards to ensure confidentiality and secure transmission of electronic PHI for any request for which this enforcement discretion applies.

Additionally, this enforcement discretion will be exercised if, and only if:

  1. the disclosure or use is made in “good faith” for public health activities and health oversight activities; and

  2. the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to ongoing uses or disclosures).

HHS has put forth certain examples of good faith uses or disclosures covered by the notification, which specifically reference public health authorities, such as the CDC, state and local health departments and CMS (or a similar oversight agency at the state level).


The issuance of this notification aligns with the general shift toward deregulation of the healthcare industry during the COVID-19 pandemic.[2]  The impetus behind this shift is to allow health care industry stakeholders more freedom to combat the pandemic as expeditiously as possible.  We will continue to monitor regulations surrounding COVID-19 and the healthcare industry to evaluate whether the industry continues down a path of deregulation or if a new series of regulations are imposed following the pandemic’s end.


[1]See The Covid-19 Pandemic in the US and AMA underscores importance of science, data in COVID-19 fight.

[2] See CMS Issues Temporary Waivers in Broad Coronavirus Response and CMS “Hospitals Without Walls” Waiver.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Matthew Shatzkes Attorney New York Sheppard Mullin

Matthew Shatzkes is an associate in the Corporate Practice Group in the New York office of Sheppard Mullin and is a member of the firm’s healthcare practice team.

Matthew Shatzkes advises healthcare entities and not-for-profit corporations on a wide range of business, regulatory and transactional matters. Mr. Shatzkes advises clients on issues relating to entity formation, governance, corporate transactions (mergers, asset sales, dissolutions), and compliance with various federal and state laws, including regulatory compliance matters. Mr. ...


Susan Ingargiola is an associate in the Corporate Practice Group in the firm's New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with healthcare transactions, including contracting and acquisitions. Susan also advises on not-for-profit governance, Medicare and Medicaid reimbursement, participation in the federal health center and 340B drug discount programs, fraud and abuse laws, audits and investigations, and other federal and state healthcare regulatory matters.

Samuel O'Brien Corporate Lawyer Sheppard Mullin

Samuel O'Brien is an associate in the Corporate Practice Group in the firm's Century City office and is a member of the firm’s Healthcare team.