OCR’s HIPAA Enforcement Discretion: Business Associates May Use and Disclose PHI for Public Health and Health Oversight Activities to Combat COVID-19

We have previously commented on OCR’s exercise of enforcement discretion and accompanying FAQs for covered entities during the COVID-19 public health emergency. In another exercise of enforcement discretion, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that it “will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (“PHI”) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.” The enforcement discretion was effective immediately upon the announcement on April 2, 2020, and will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

Background

The HIPAA regulations permit covered entities to use and disclose PHI for certain public health and health oversight purposes under sections 45 CFR 164.512(b) and (d), respectively. However, under current regulations, a HIPAA business associate may use or disclose PHI for such purposes only if expressly permitted by its business associate agreement (“BAA”). As explained in the notification, “Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, which also constitutes a nationwide public health emergency. Some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.”

Uses and Disclosures Subject to Enforcement Discretion

Per the Notification, OCR will not impose penalties for violations of certain HIPAA provisions related to BAAs “if, and only if:

• the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
• the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).”

Examples of such good faith uses or disclosures covered by the Notification include uses and disclosures for or to the CDC, CMS, or similar state-level public health or health oversight agencies, for the purposes of preventing or controlling the spread of COVID-19 or for overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with the HIPAA provisions referenced above.

A Word of Caution

The Notification cautions that it does not extend to other requirements of the HIPAA rules or to violations of other federal or state laws, such as breach of contract. Thus, business associates should continue to comply with all other applicable HIPAA requirements, such as ensuring that transmission of any PHI to permitted authorities is done with appropriate safeguards in place. In addition, business associates should consider consulting the covered entities whose PHI they may use or disclose pursuant to the Notification to amend the BAA if needed, or otherwise seek assurance from the covered entity that it will not pursue breach of contract claims against the business associate for such uses or disclosures. Business associates and covered entities should also remember that, at this time, this Notification extends only through the end of the COVID-19 emergency, and should expect the full requirements of the HIPAA rules to once again apply once the emergency concludes.

Finally, OCR announced via its Privacy and Security listservs on April 3, 2020, that an individual has been posing as an OCR investigator in an attempt to obtain PHI. Business associates and covered entities should be alert to such scams and exercise caution when responding to any requests for PHI, taking steps to verify the identity of the requestor before releasing any information.

For more information on how HIPAA applies, generally and during the COVID-19 national emergency, please contact  Madison M. Pool.