HHS to Exercise Enforcement Discretion to Permit HIPAA Business Associates to Use and Disclose PHI to Public Health Authorities during the COVID-19 Health Crisis
On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty.Healthcare entities should review the five-page notification, as the enforcement discretion gives breathing room to business associates to assist public health agencies to respond to the COVID-19 outbreak. Still, this notification should not be looked at as a free pass on all aspects of HIPAA compliance.
OCR noted that federal, state and local public health authorities and health oversight agencies have requested PHI from HIPAA business associates or data analytics of such PHI as part of the virus response, but that some business associates were unable to assist due to HIPAA concerns. Thus, to facilitate the public health response, OCR will exercise its enforcement discretion if:
the business associate makes a “good faith use or disclosure” of the covered entity’s PHI for public health activities and health oversight activities [emphasis added]; and
the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to uses or disclosures that are ongoing.
The notification makes specific reference to such public health authorities as the CDC, state and local health departments and CMS (or similar oversight agency at the state level). Importantly, OCR expressly states that this enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.” Thus, business associates must maintain compliance with the HIPAA Security Rule and take safeguards to ensure confidentiality and secure transmission of ePHI to any request from a public health authority. And, to be sure, this notification does not change the restrictions around the disclosure of PHI to non-government entities.