OCR announces enforcement discretion to allow uses and disclosures of PHI by business associates for public health and health oversight activities during COVID-19 pandemic

Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it will exercise enforcement discretion for certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and will not assess penalties against health care providers or their business associates under certain circumstances. Specifically, OCR will not assess penalties against business associates who use or disclosure protected health information (PHI) for good faith uses and disclosures for public health and health oversight activities during the COVID-19 emergency period.

Under the Privacy Rule, covered entities are permitted to disclose PHI without authorization to public health authorities who are legally authorized to receive the information for the purposes including the prevention or control of disease. Covered entities are also permitted to disclose PHI to a health oversight agency for oversight activities authorized by law. A “public health authority” is an agency or authority of the federal, state, or local government that is responsible for public health matters as part of its official mandate, as well as any person or entity acting under a grant of authority or from or pursuant to a contract with, a public health agency. A “health oversight agency” includes a federal, state, or local government agency authorized by law to oversee the public and private health care system in which health information is necessary for determining eligibility or compliance, or to enforce civil rights laws for which health information is relevant, and includes employees, agents, contractors, persons or entities acting under a grant of authority of such public agency.

The discretion afforded by OCR is intended to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data. Covered entities are already permitted to share this data under the HIPAA Privacy Rule, and today’s announcement now permits business associates to do the same without risk of a HIPAA penalty if the following conditions are satisfied:

  • The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities or health oversight activities consistent with Privacy Rule provisions allowing covered entities to make similar disclosures under 45 CFR 164.512(b) or (c).
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

OCR Director Roger Severino stated that “the CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic.” He added that “granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

Since the start of the COVID-19 pandemic, OCR has made several announcements regarding flexibility in light of the national pandemic. On March 28, 2020, OCR issued a bulletin on civil rights laws and HIPAA flexibilities that apply during the COVID-19 emergency period. On March 24, 2020, guidance was issued to help ensure law enforcement, paramedics, first responders, and public health authorities receive PHI about individuals exposed to COVID-19. On March 17, 2020, OCR announced enforcement discretion for telehealth remote communications during the COVID-19 emergency period, and on March 20, 2020, OCR issued follow up guidance on telehealth remote communications.

+