On April 2, 2020, the Office of Civil Rights (OCR) issued a notification stating that it will not impose penalties for violations of certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) for public health activities during the COVID-19 nationwide public emergency. The HIPAA Privacy rule already permits covered entities to provide this type of information, but OCR has extended this permission to business associates for the time being. OCR uses its enforcement discretion in temporarily waiving these penalties for business associates.

In a press release last Thursday, HHS stated that OCR issued this notification “to support Federal public health authorities and health oversight agencies like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI.”

OCR Director, Roger Severino, stated that “granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

OCR has a new webpage with all COVID-19 related materials issued by OCR available here.