OCR Relaxes Enforcement For Pandemic-Related Disclosures of PHI During Public Health Emergency
April 5, 2020
By: Stacy Walton Long and
The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that effective April 2, 2020, it will not impose penalties against health care providers or their business associates for certain violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, OCR will not impose penalties against health care providers or their business associates who disclose protected health information (PHI), in good faith, for public health and health oversight activities while COVID-19 is declared a public health emergency.
HIPAA mandates that a business associate (a person or entity that performs certain functions or activities on behalf of, or provides services to a covered entity), may only disclose PHI in accordance with the terms of a business associate agreement (BAA). This requirement has restricted some business associates from responding to requests from federal public health authorities, health oversight agencies, state and local health departments, and state emergency operation centers, to use or disclose PHI to help ensure the public’s health and safety during the COVID-19 pandemic. Specifically, this restriction has impacted business associates whose BAAs do not expressly permit the types of use and disclosures requested during the pandemic.
As a result of this legal hurdle, OCR states that it will not impose penalties against covered entities or business associates under HIPAA’s Privacy Rule provisions, 45 CFR 164.502(a)(3) and (e)(2), and 45 CFR 164.504(e)(1) and (5) if, and only if:
- the business associate makes a good faith use or disclosure of the covered entity's PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
- the business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Thus, while COVID-19 is declared a public health emergency, business associates may use or disclose PHI to the Centers for Disease Control and Prevention (CDC), or a state public health authority, for purposes of preventing or controlling the spread of COVID-19. Business associates may also use or disclose PHI to the Centers for Medicare and Medicaid (CMS), or a state health oversight agency, for assisting the health care system’s efforts to combat COVID-19.
Covered entities and business associates must still comply with all other HIPAA requirements, and adhere to state laws governing the privacy and security of PHI. More information regarding the obligations of business associates is available here.
For questions regarding OCR’s announcement, or any other HIPAA related questions, please contact Stacy Walton Long or Alexandria M. Foster.
Practices
Industries
April 5, 2020
By: Stacy Walton Long and
The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that effective April 2, 2020, it will not impose penalties against health care providers or their business associates for certain violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, OCR will not impose penalties against health care providers or their business associates who disclose protected health information (PHI), in good faith, for public health and health oversight activities while COVID-19 is declared a public health emergency.
HIPAA mandates that a business associate (a person or entity that performs certain functions or activities on behalf of, or provides services to a covered entity), may only disclose PHI in accordance with the terms of a business associate agreement (BAA). This requirement has restricted some business associates from responding to requests from federal public health authorities, health oversight agencies, state and local health departments, and state emergency operation centers, to use or disclose PHI to help ensure the public’s health and safety during the COVID-19 pandemic. Specifically, this restriction has impacted business associates whose BAAs do not expressly permit the types of use and disclosures requested during the pandemic.
As a result of this legal hurdle, OCR states that it will not impose penalties against covered entities or business associates under HIPAA’s Privacy Rule provisions, 45 CFR 164.502(a)(3) and (e)(2), and 45 CFR 164.504(e)(1) and (5) if, and only if:
- the business associate makes a good faith use or disclosure of the covered entity's PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
- the business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Thus, while COVID-19 is declared a public health emergency, business associates may use or disclose PHI to the Centers for Disease Control and Prevention (CDC), or a state public health authority, for purposes of preventing or controlling the spread of COVID-19. Business associates may also use or disclose PHI to the Centers for Medicare and Medicaid (CMS), or a state health oversight agency, for assisting the health care system’s efforts to combat COVID-19.
Covered entities and business associates must still comply with all other HIPAA requirements, and adhere to state laws governing the privacy and security of PHI. More information regarding the obligations of business associates is available here.
For questions regarding OCR’s announcement, or any other HIPAA related questions, please contact Stacy Walton Long or Alexandria M. Foster.