On April 2, 2020, the Department of Health and Human Services (HHS) released a HIPAA enforcement update regarding disclosures made by Business Associates (BA) during COVID-19.
Current regulations allow a HIPAA BA to use and disclose protected health information (PHI) for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity or as required by law. Yesterday, HHS announced that it will not impose penalties on covered entities or BAs for uses and disclosures of PHI by BAs for public health and health oversight activities during the COVID-19 nationwide public health emergency, so long as:
For instance, one potential scenario may be if a covered entity has laboratory BA who is testing COVID-19 samples. The BA may be required to submit any test results, including PHI, to state or federal government agencies, despite not being explicitly allowed to do so in its business associate agreement. So long as the BA satisfies the aforementioned requirements, HHS will not impose penalties for any such HIPAA violation.