The United States Department of Health and Human Services (HHS) has announced that it will ease additional restrictions limiting the use and disclosure of protected health information (PHI) during the COVID-19 public health crisis. Previously, in an effort to improve the nation’s response to the pandemic, HHS announced that it would exercise discretion in enforcing certain requirements of the HIPAA Privacy Rule governing telehealth. Additionally, HHS recently has announced that it will exercise discretion when enforcing the privacy rule with respect to the use and disclosure by covered entities and their business associates of PHI for public health and health oversight activities during the COVID-19 emergency.
The HIPAA Privacy Rule permits a business associate to use and disclose PHI to conduct certain activities on behalf of the covered entity or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate agreement (BAA). Although some public health authorities and emergency operations centers have requested that business associates use or disclose PHI to assist the coordinated response to the COVID-19 public health emergency, a number of them have had to refuse or had a limited ability to do so because BAAs do not expressly permit such uses and disclosures.
To enhance public health and health oversight activities during the pandemic, HHS has stated that will not impose penalties on a covered entity or business associate under the Privacy Rule 45 C.F.R. section 164.502(a)(3) (governing uses and disclosures of PHI by business associates), section 164.502(e)(2) (requiring BAAs to govern disclosures), and section 164.504(e)(1) and (5) (governing the required standard for a BAA with contractors and subcontractors), provided that both of the following conditions are met.
- The business associate must make a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with section 164.512(b) or health oversight activities consistent with section 164.512(d).
- The business associate must inform the covered entity within 10 calendar days after the use or disclosure occurs or commences if repeated.
The HHS statement provides the following two examples of good faith uses and disclosures: first, a disclosure to the Centers for Disease Control and Prevention or a similar public health authority at the state level for purpose of preventing or controlling the spread of COVID-19, consistent with section 164.512(b); and second, a disclosure to the Centers for Medicare and Medicaid Services or a similar health oversight agency at the state level for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with section 164.512(d).
HHS had made clear, however, that the announcement does not extend to other provisions of the Privacy Rule. This enforcement discretion will remain in effect until the date the Secretary of HHS declares the COVID-19 public health emergency no longer exists or the expiration date of the declared public health emergency, which occurs first.