OCR Enforcement Discretion Allows Business Associates to Disclose PHI for Public Health Purposes

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP

On April 2, 2020, the Office for Civil Rights at the Department of Health and Human Services (OCR) announced that, effective immediately, they would exercise “enforcement discretion” regarding disclosures of COVID-19-related protected health information (PHI) to public health authorities. Prior to this announcement, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule only expressly permitted covered entities to use and disclose PHI for public health purposes without patient authorization to prevent or control disease, injury and disability. See 45 CFR 164.512(b). This announcement means that business associates will be permitted by OCR to disclose PHI to public health authorities, such as the Centers for Disease Control and Prevention (CDC), Centers for Medicare & Medicaid Services (CMS), and state and local health departments, for the duration of the COVID-19 crisis to ensure they have ready access to PHI to help fight this pandemic.

OCR did place conditions on its discretionary statement. To qualify for enforcement discretion, business associates must inform their covered entity clients within 10 calendar days of the use or disclosure of PHI. Repeated or ongoing uses and disclosures must only be noticed when the use or disclosure begins, and do not require renotification.

However, as OCR notes in its announcement, all business associates have also entered into contracts with their covered entity customers. These contracts may contain additional provisions or language that limits a business associate’s ability to share PHI. OCR expressly stated that its enforcement discretion announcement “does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.” As a result, business associates could still face contractual liability, if they used PHI for public health purposes or disclosed PHI to a public health authority against the wishes of their covered entity customers.

Consequently, although OCR’s enforcement discretion provides some relief to business associates who have information sought by public health authorities during this crisis, it does not address the risk of contractual liability, if business associate agreements and covered entity customers prohibit such activities. Nor can OCR technically waive the Department of Justice’s authority to criminally punish uses and disclosures that occur in violation of HIPAA — though it is difficult to imagine the Department of Justice bringing an enforcement action against a company operating in compliance with OCR’s enforcement discretion statement. Business associates should carefully review this announcement and determine how best to approach their customers about sharing information sought by the CDC, CMS and other public health authorities. As public health authorities work to address the growing risks associated with the COVID-19 pandemic in the United States, business associates, which have unique access to data from multiple covered entity clients, will be important partners.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.