On April 2, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that it will exercise its enforcement discretion and not penalize either a health care provider or its business associate when the business associate undertakes a good faith use and disclosure of protected health information (PHI) for public health and health oversight activities. This exercise of enforcement discretion applies during the COVID-19 emergency.
Currently, the HIPAA regulations permit covered entities, such as health care providers and health plans, to share PHI for public health and health oversight purposes. The regulations also permit a covered entity to delegate such a disclosure to its business associate, but this delegation must be expressly described in the business associate agreement between the parties. Business associates also are permitted to disclose PHI for public health and health oversight purposes if such disclosure was required by law. In its new notification, OCR would not pursue a HIPAA enforcement action if a business associate made a PHI disclosure to a health oversight agency or to ensure public health and safety during the COVID-19 public health emergency, even if such disclosure was not described in the applicable business associate agreement or required by law.
OCR states that the rationale for this decision is to support the efforts of the Centers for Disease Control and Prevention, the Centers for Medicare and Medicaid Services, state and local health departments, and other emergency operations centers, because these agencies need access to COVID-19–related data that may include protected health information.
In addition to the requirement that the disclosure is made in good faith, OCR also requires that the business associate notify the applicable covered entity within 10 calendar days after the disclosure. OCR’s exercise of its enforcement discretion is effective immediately.