Legal Update
Apr 3, 2020
HIPAA Update - OCR Enforcement Discretion to Allow Business Associates to Disclose PHI for Public Health Activities and Health Oversight Activities
Sign up for our Coronavirus roundup email.
Visit our Coronavirus resource page.
Summary
On Thursday, April 2, 2020, the Office for Civil Rights (“OCR”) issued a Notification of Enforcement Discretion under the Health Insurance Portability and Accountability Act (“HIPAA”). The Notification provides guidance regarding the use and disclosure of protected health information (“PHI”) by a business associate for public health and health oversight purposes in response to the COVID-19 pandemic. The Notification is not yet published in the Federal Register, but can be found on the OCR’s website: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf.
OCR has found that response to the pandemic has been hampered because some business associates are prevented from providing PHI requested by Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers. OCR aims to free up the flow of PHI for the pandemic response by refraining from issuing sanctions in certain designated circumstances.
Background
HIPAA authorizes covered entities, which include health care providers and health plans, to disclose PHI to business associates for use and further disclosure as long as such use and disclosure complies with the parties’ business associate agreement (“BAA”) or is required by law. A business associate is an independent entity which handles PHI for a covered entity in order to provide a service such as claims processing or administration; data analysis, processing or administration; patient safety activities; practice management; or legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
Under current HIPAA regulations, a covered entity may use and disclose PHI for public health activities and health oversight activities, but a business associate may only do so if the BAA expressly authorizes. Many business associates that do not have such express authorization in their BAA have been unable to share information that OCR believes is necessary to fight the pandemic.
Enforcement Discretion
Effective immediately, OCR will not impose sanctions against business associates or covered entities for the business associate’s use or disclosure of PHI in this regard as long as the use or disclosure is made in good faith, is consistent with the rule for public health activities, 45 C.F.R. § 164.512(b), or the rule for health oversight activities, 45 C.F.R. § 164.512(d), and the business associate notifies the covered entity within 10 days of the disclosure (or commencement of a disclosure that will be repeated over time).
Section 164.512(b) allows a covered entity to disclose PHI for public health purposes and activities to a public health authority, such as the CDC, that is authorized by law to collect or receive such information for the purpose of preventing or controlling a disease. Such disclosures include reporting of disease, injury, births and deaths, and the conduct of public health surveillance, public health investigations, and public health interventions. Under the new enforcement discretion, a business associate would not be sanctioned for supplying PHI consistent with this standard.
Likewise, a business associate would not be sanctioned for providing PHI in a manner consistent with Section 164.512(d) which allows a covered entity to disclose PHI to a health oversight agency, such as CMS, for activities authorized by law for appropriate oversight of the health care system; beneficiary eligibility for government benefit programs; and entity compliance with government regulatory programs and civil rights laws. Such oversight activities include audits; investigations; inspections; licensure or disciplinary actions; and civil, administrative, or criminal proceedings.
The enforcement discretion applies until the Secretary of Health and Human Services declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.
Limitations
The enforcement discretion does not apply, and sanctions may still be imposed for, other violations of the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E), violations of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and violations of the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D). Moreover, the enforcement discretion does not affect business associates’ obligations to comply with State privacy laws or other Federal laws.
Implications
The enforcement discretion will likely lead to a freer flow of information requested by government agencies for dealing with the current public health emergency and presumably to better informed response. Covered entities and business associates may consider revising their BAAs to prepare for future situations. While a blanket authorization for such disclosures is probably not warranted, grafting the terms of OCR’s notification into the BAA may be advisable. Finally, oversight agencies such as CMS may see an opportunity to obtain information from business associates for investigations and other enforcement actions taken during the public health emergency, including such activities related to use of stimulus funds under the CARES Act.