June 2, 2020

June 01, 2020

Subscribe to Latest Legal News and Analysis

May 30, 2020

Subscribe to Latest Legal News and Analysis

HHS to Exercise Enforcement Discretion to Permit HIPAA Business Associates to Use and Disclose PHI to Public Health Authorities during the COVID-19 Health Crisis

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty.Healthcare entities should review the five-page notification, as the enforcement discretion gives breathing room to business associates to assist public health agencies to respond to the COVID-19 outbreak. Still, this notification should not be looked at as a free pass on all aspects of HIPAA compliance.

OCR noted that federal, state and local public health authorities and health oversight agencies have requested PHI from HIPAA business associates or data analytics of such PHI as part of the virus response, but that some business associates were unable to assist due to HIPAA concerns. Thus, to facilitate the public health response, OCR will exercise its enforcement discretion if:

  • the business associate makes a “good faith use or disclosure” of the covered entity’s PHI for public health activities and health oversight activities [emphasis added]; and

  • the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to uses or disclosures that are ongoing.

The notification makes specific reference to such public health authorities as the CDC, state and local health departments and CMS (or similar oversight agency at the state level). Importantly, OCR expressly states that this enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.” Thus, business associates must maintain compliance with the HIPAA Security Rule and take safeguards to ensure confidentiality and secure transmission of ePHI to any request from a public health authority. And, to be sure, this notification does not change the restrictions around the disclosure of PHI to non-government entities.


© 2020 Proskauer Rose LLP.


About this Author

Ryan Blaney Privacy Law Attorney Proskauer Law Firm

Ryan Blaney has particular expertise in privacy law, and represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters. Blaney also practices life sciences and digital health law and has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including...

Laura Goldsmith, Corporate Litigation Attorney, Proskauer Law Firm

Laura Goldsmith is a corporate associate in the Technology, Media and Telecommunications Group. Her practice focuses on matters in technology, intellectual property, privacy and data security across a range of industries that include life sciences, retail, professional and financial services, communications, media, Internet, software, fashion, entertainment and sports.

Laura represents life science companies in various transactions, including licensing deals, research collaborations and strategic acquisitions. She also advises clients regarding compliance with federal and state laws related to privacy and data security. She contributes to Proskauer’s Privacy Law Blog and maintains the Financial Privacy and State Privacy Laws chapters of the Proskauer on Privacy treatise.

Prior to her legal career, Laura worked as a consultant to global pharmaceutical companies formulating drug development strategy and clinical trial design. She also conducted scientific research in pharmacology and biology at Duke University Medical Center and her research has been published in peer-reviewed journals.

While at Boston University School of Law, Laura served as the Editor-in-Chief for the Review of Banking & Financial Law and interned for Judge Kiyo A. Matsumoto of the U.S. District Court for the Eastern District of New York.