April 6, 2020
The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that effective April 2, 2020, it will not impose penalties against health care providers or their business associates for certain violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, OCR will not impose penalties against health care providers or their business associates who disclose protected health information (PHI), in good faith, for public health and health oversight activities while COVID-19 is declared a public health emergency.
HIPAA mandates that a business associate (a person or entity that performs certain functions or activities on behalf of, or provides services to a covered entity), may only disclose PHI in accordance with the terms of a business associate agreement (BAA). This requirement has restricted some business associates from responding to requests from federal public health authorities, health oversight agencies, state and local health departments, and state emergency operation centers, to use or disclose PHI to help ensure the public’s health and safety during the COVID-19 pandemic. Specifically, this restriction has impacted business associates whose BAAs do not expressly permit the types of use and disclosures requested during the pandemic.
As a result of this legal hurdle, OCR states that it will not impose penalties against covered entities or business associates under HIPAA’s Privacy Rule provisions, 45 CFR 164.502(a)(3) and (e)(2), and 45 CFR 164.504(e)(1) and (5) if, and only if:
Thus, while COVID-19 is declared a public health emergency, business associates may use or disclose PHI to the Centers for Disease Control and Prevention (CDC), or a state public health authority, for purposes of preventing or controlling the spread of COVID-19. Business associates may also use or disclose PHI to the Centers for Medicare and Medicaid (CMS), or a state health oversight agency, for assisting the health care system’s efforts to combat COVID-19.
Covered entities and business associates must still comply with all other HIPAA requirements, and adhere to state laws governing the privacy and security of PHI. More information regarding the obligations of business associates is available here.