Healthcare Law Alert: OCR Makes Additional Announcement of Enforcement Discretion under HIPAA Due to COVID-19
Yesterday, the Department of Health and Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, issued a press release and Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19.
The OCR previously issued a notice that it will be exercising its “enforcement discretion” not to impose penalties under HIPAA relating to the use of telehealth communication technology in the “good faith” provision of telehealth services during the COVID-19 nationwide public health emergency, and later issued a Q&A document answering related questions. The prior notice may be found here and the OCR’s Q&A notice here. Our prior Healthcare Law Alerts on this topic, as well as other COVID-19 HIPAA topics, may be found on the Brach Eichler COVID-19 Resource Page.
In yesterday’s publication, the OCR stated that “it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against healthcare providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.”
Current HIPAA regulations permit a HIPAA business associate to use and disclose protected health information (PHI) for public health and health oversight purposes only if such uses and disclosures are specifically permitted under the business associate agreement between the covered entity and its business associate. Pursuant to the OCR’s notice published today:
To facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency, effective immediately, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
- The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
- The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Examples of such good faith uses or disclosures covered by this Notification include uses and disclosures for or to:
- The Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
- The Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the healthcare system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
The OCR warned that the enforcement discretion will not extend to other requirements or prohibitions under HIPAA, including obligations under the Breach Notification Rule. Further, the notification does not address other federal or state laws, including breach of contract claims, that might apply to the uses and disclosures of the information described in the notice.
OCR stated that the notification was issued “to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19-related data, including PHI. The HIPAA Privacy Rule already permits covered entities to provide this data, and today’s announcement now permits business associates to also share this data without risk of a HIPAA penalty.”
For additional information or assistance with HIPAA compliance, please contact: