On April 2, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that the agency will exercise enforcement discretion with respect to certain uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities that would otherwise violate the Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009 (together with their implementing regulations, HIPAA) during the COVID-19 public health emergency.¹

Under HIPAA, health plans, certain health care providers (including most physicians, hospitals, pharmacies and nursing homes) and health care clearinghouses are considered “covered entities” and are required to comply with its provisions. Business associates of these covered entities, which create or receive PHI in the course of performing functions or services for them or on their behalf, are also subject to many of HIPAA’s requirements. A business associate is only permitted to use or disclose PHI pursuant to the business associate agreement it entered into with the covered entity or as required by law.²

While HIPAA permits covered entities to use and disclose PHI for certain public health and health oversight activities without a patient’s consent, business associates are not granted the same exceptions unless they are provided for in their respective business associate agreements. In its notice of enforcement discretion, the OCR explains that due to this limitation some business associates have been unable to participate in efforts to respond to COVID-19 in a timely way.³

Thus, the OCR will not impose penalties on either a business associate or covered entity under certain provisions of the HIPAA Privacy Rule for the duration of the public health emergency if the business associate (1) “makes a good faith use or disclosure of the covered entity’s PHI” for public health or health oversight activities, consistent with HIPAA provisions setting forth those exceptions for covered entities, and (2) informs the covered entity within 10 calendar days of using or disclosing the PHI.⁴

The OCR explains that examples of good faith uses or disclosures covered by this enforcement discretion policy include disclosures to:

• The Centers for Disease Control and Prevention (CDC), or similar public health authorities at the state level, to prevent or control the spread of COVID-19 (consistent with the HIPAA exception for a covered entity’s use and disclosure of PHI for public health activities).
• The Centers for Medicare and Medicaid Services (CMS), or similar health oversight agencies at the state level, for the purposes of overseeing and providing assistance for the health care system as it relates to the COVID-19 response (consistent with the HIPAA exception for a covered entity’s use and disclosure of PHI for health oversight activities).⁵

The notice makes clear that business associates are still subject to other requirements and prohibitions under HIPAA, and that the policy will not extend beyond the COVID-19 public health emergency. The policy does not address other federal or state laws that might apply.

Over the past few months, the OCR has issued a number of guidance documents explaining how these and other HIPAA exceptions may be employed during the COVID-19 crisis, including guidance issued on March 24, 2020, explaining the circumstances under which covered entities may disclose PHI related to COVID-19 to law enforcement, paramedics, other first responders and public health authorities without an individual’s authorization.⁶ The OCR has also announced that it will exercise enforcement discretion related to the use of certain remote communications technologies to provide telehealth services to patients during the public health emergency.⁷

Additional information about health information and privacy during the COVID-19 public health emergency is available here.

¹ U.S. Department of Health and Human Services (HHS), Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, 85 Fed. Reg. 19,392 (Apr. 7, 2020), https://www.govinfo.gov/content/pkg/FR-2020-04-07/pdf/2020-07268.pdf.

² 45 C.F.R. § 164.502(a)(3).

³ 85 Fed. Reg. at 19,393.

⁴ Id.; 45 C.F.R. §§ 164.512(b), 164.512(d).

⁵ 85 Fed. Reg. at 19,393.

⁶ HHS OCR, COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (Mar. 2020), https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.

⁷ HHS OCR, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.