HHS to Exercise Enforcement Discretion to Permit HIPAA Business Associates to Use and Disclose PHI to Public Health Authorities during the COVID-19 Health Crisis

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Data Security

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty. Healthcare entities should review the five-page notification, as the enforcement discretion gives breathing room to business associates to assist public health agencies to respond to the COVID-19 outbreak. Still, this notification should not be looked at as a free pass on all aspects of HIPAA compliance.

OCR noted that federal, state and local public health authorities and health oversight agencies have requested PHI from HIPAA business associates or data analytics of such PHI as part of the virus response, but that some business associates were unable to assist due to HIPAA concerns. Thus, to facilitate the public health response, OCR will exercise its enforcement discretion if:

  • the business associate makes a “good faith use or disclosure” of the covered entity’s PHI for public health activities and health oversight activities [emphasis added]; and
  • the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to uses or disclosures that are ongoing.

The notification makes specific reference to such public health authorities as the CDC, state and local health departments and CMS (or similar oversight agency at the state level). Importantly, OCR expressly states that this enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.” Thus, business associates must maintain compliance with the HIPAA Security Rule and take safeguards to ensure confidentiality and secure transmission of ePHI to any request from a public health authority. And, to be sure, this notification does not change the restrictions around the disclosure of PHI to non-government entities.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Cybersecurity | Attorney Advertising

Written by:

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Cybersecurity on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.