OCR Announces Enforcement Discretion for Business Associate Uses and Disclosure of PHI

On April 2, 2020, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued another Notice of Enforcement Discretion in relation to COVID-19, this time relating to uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 public health emergency.

While the HIPAA Privacy Rule permits healthcare providers to disclose PHI to public health authorities such as the Centers for Disease Control and Prevention (CDC) and the HHS’ Centers for Medicare and Medicaid Services (CMS) to support public health and health oversight activities, business associates of HIPAA-covered entities are only permitted to disclose PHI for public health and health oversight activities if it is stated they are permitted to do so in their business associate agreement with a HIPAA-covered entity. HIPAA Rules have not been changed, but penalties will not be applied in such cases.

The Notice of Enforcement Discretion was issued to support the activities of federal health authorities, state and local health departments, and state emergency operations centers during the 2019 Novel Coronavirus pandemic and will help to ensure they have access to data related to COVID-19.

The Notice of Enforcement Discretion applies to healthcare providers and their business associates who will now not face sanctions and financial penalties for good faith uses and disclosures of PHI by business associates in relation to public health and health oversight activities. The Notice of Enforcement Discretion is effective immediately and will last for the duration of the nationwide COVID-19 public health emergency or until the Secretary declares the public health emergency is over.

When a business associate of a HIPAA covered entity makes a good faith use or disclosure of PHI in relation to public health and health oversight activities, they must notify the HIPAA-covered entity about the use or disclosure within 10 days of the use or disclosure occurring.

The Notice of Enforcement Discretion does not apply to the HIPAA Security Rule. Business associates must ensure safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI and that good faith efforts are made to secure any PHI disclosed to a public health authority and that all other provisions of the HIPAA Rules are adhered to.

Financial penalties can, and will, be imposed on business associates for any violations of HIPAA Rules not covered by the Notice of Enforcement Discretion

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” explained OCR Director Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

The OCR Notice of Enforcement Discretion can be viewed on this link.