Further to our March 25th update and the guidance issued by the Office of Civil Rights (OCR) in late March, OCR has issued an additional Notification of Enforcement Discretion, allowing for enforcement discretion regarding additional uses and disclosures of protected health information (PHI) for public health and health oversight activities during the COVID-19 pandemic.
Under the Health Insurance Portability and Accountability Act (HIPAA)’s Privacy Rule, business associates are generally only permitted to use and disclose PHI for public health and health oversight purposes if the specific type of use or disclosure is explicitly permitted by their agreement with a particular covered entity. The Notification of Enforcement Discretion notes that – in the context of the COVID-19 pandemic – federal public health authorities and state and local health departments, among others, have either requested PHI from business associates or required business associates to perform health data analytics on PHI for purposes of ensuring the health and safety of the public. In many cases, business associates have been unable to honor these requests in a timely manner (or at all) because their agreements with certain covered entities do not specifically permit the specific uses or disclosures.
Acknowledging the gravity of the COVID-19 global pandemic and in an effort to facilitate uses and disclosures of PHI for public health and health oversight activities, OCR, therefore, announced that it will exercise its enforcement discretion (effective immediately) and will not impose penalties against a business associate or covered entity for certain uses or disclosures of PHI that might not otherwise meet HIPAA requirements, if both of the following conditions are met:
- The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) (e.g., for public health surveillance), or health oversight activities consistent with 45 CFR 164.512(d) (e.g., disclosures to government regulatory programs); and
- The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs.
Notably, the Notification of Enforcement Discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. Further, disclosures for commercial gain are also not covered by this Notification of Enforcement Discretion. As such, it will be important for companies to carefully consider whether envisioned disclosure fit into the exceptions outlined above and continue to monitor updates issued by OCR during the COVID-19 pandemic.
