Due to the COVID-19 Pandemic, HHS Eases Restrictions on the Use and Disclosure of PHI by Business Associates

Eric Packel
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement discretion – this one relating to business associates. This latest notification allows business associates to use and disclose protected health information (PHI) for public health and health oversight purposes even if not expressly permitted by their business associate agreement.

Due to COVID-19, federal, state and local health authorities have requested that various entities disclose PHI or perform data analytics on PHI to assist in efforts to combat COVID-19. However, some entities that are Health Insurance Portability and Accountability Act (HIPAA) business associates have been constrained by their business associate agreement because it did not permit them to make such uses/disclosures of PHI. To facilitate these efforts, OCR now will not impose penalties on a business associate (or covered entity) where the business associate makes a good-faith use or disclosure of PHI consistent with public health activities and/or health oversight activities.

Covered entities already were permitted to make such public health and health oversight disclosures, without authorization, under existing HIPAA regulations. Now, during the health emergency, those same regulations are essentially extended to business associates.

Examples of good-faith use or disclosures by business associates under this notification include:

  • Disclosures to the Centers for Disease Control and Prevention (CDC) or similar public health authorities for the purpose of preventing or controlling the spread of COVID-19.
  • Disclosures to the Centers for Medicare and Medicaid Services (or a similar state agency) for the purpose of overseeing and providing assistance for the healthcare system related to the COVID-19 response.

Note that to fall within the parameters of this enforcement discretion, the business associate must inform the covered entity within 10 days of the use or disclosure. Nor does this discretion release business associates from other HIPAA requirements, including ensuring secure transmission of any ePHI to the CDC or other public health agencies.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide