HIPAA Enforcement Update: Disclosures Made by Business Associates During COVID-19

On April 2, 2020, the Department of Health and Human Services (HHS) released a HIPAA enforcement update regarding disclosures made by Business Associates (BA) during COVID-19.

Current regulations allow a HIPAA BA to use and disclose protected health information (PHI) for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity or as required by law. Yesterday, HHS announced that it will not impose penalties on covered entities or BAs for uses and disclosures of PHI by BAs for public health and health oversight activities during the COVID-19 nationwide public health emergency, so long as:

• The BA makes a good faith use or disclosure for public health or health oversight activities (e.g., to the CDC or state public health authority to prevent /control spread or to CMS or state health oversight agency for overseeing/providing assistance for the health care system related to COVID-19); and
• The BA informs the covered entity within 10 calendar days or such a disclosure or the date of commencement for ongoing disclosures.

For instance, one potential scenario may be if a covered entity has laboratory BA who is testing COVID-19 samples. The BA may be required to submit any test results, including PHI, to state or federal government agencies, despite not being explicitly allowed to do so in its business associate agreement. So long as the BA satisfies the aforementioned requirements, HHS will not impose penalties for any such HIPAA violation.