Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities

The Department of Health and Human Services announced, n April 2, 2020, that it will from here on be exercising enforcement discretion and will not sanction HIPAA penalties against healthcare suppliers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 pandemic, or until the Secretary of the HHS declares that it is finally over.

The Notice of Enforcement Discretion was released to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that need easy access to COVID-19 related information.

While the sharing of PHI by HIPAA-covered groups for public health and health oversight purposes are allowed under the HIPAA Privacy Rule, at present business associates of HIPAA covered entities are only legally allowed to disclose PHI for public health and health oversight reasons if it is specifically stated that they can do so in their business associate agreement with a HIPAA covered group. Without the Notice of Enforcement discretion, business associates could face financial fines for disclosures of PHI for public health and health oversight reasons.

The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only in the case of a good faith use or disclosure of PHI for public health activities by a business associate for public health activities in line with 45 CFR 164.512(b), or health oversight activities in line with 45 CFR 164.512(d). The business associate must advise the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure took place.

The Notice of Enforcement Discretion does not apply to any other parts of HIPAA Rules and the HIPAA Security Rule remains applicable. Should PHI be shared to a public health authority or health oversight agency, the business associate must see to it that the requirements of the HIPAA Security Rule are met and reasonable safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI and that the information is transmitted in a safe manner.

OCR Director, Roger Severino said that: “The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

You can read the OCR Notice of Enforcement Discretion on this webpage.