The Department of Health and Human Services’ (HHS) Office for Civil Rights, as part of a broad response to support federal and state health authorities and emergency operations centers who need access to COVID-19-related data, has announced it will exercise additional COVID-19-related enforcement discretion. The OCR enforcement discretion is discussed below.
What Enforcement Discretion Will be Exercised?
Previously, OCR announced it would exercise its enforcement discretion and not impose penalties for noncompliance with certain HIPAA requirements. Specifically, penalties will not be imposed in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
On April 2, 2020, another notice of OCR enforcement discretion was announced. Under this new notice, effective as of April 2, 2020, OCR enforcement discretion will be exercised and they will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates.
Penalties will not be imposed for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 emergency.
What Does This Mean for Covered Entities and Business Associates?
Under the HIPAA Privacy Rule, covered entities are already permitted to share COVID-19 related data, including PHI, with federal and state public health authorities and health oversight agencies, including the federal Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state health departments, and state emergency operations centers.
When such agencies, authorities, and departments need access to this information, the Privacy Rule allows covered entities to disclose what PHI is needed to them. The new notice of enforcement discretion now permits business associates to also share this data with these agencies, authorities, and departments, without risk of a HIPAA penalty. Business associates will not be penalized, provided the sharing with or disclosure to these groups is made in good faith.
HHS expects that this granting of greater freedom to business associates to cooperate and exchange information with public health and oversight agencies can help flatten the coronavirus curve and potentially save lives.
Why Was the New Notice of Enforcement Discretion Issued?
Prior to the issuance of this notice of enforcement discretion, HIPAA business associates could use and disclose protected health information for public health and health oversight purposes only if expressly permitted by a business associate agreement with a HIPAA covered entity. Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers had been requesting PHI from HIPAA business associates (i.e., a disclosure of PHI), had been requesting that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 public health emergency. Some business associates did not timely participate in these efforts, because their business associate agreements did not expressly permit them to make such uses and disclosures of PHI.
When Will Penalties Not Be Imposed?
OCR will not impose penalties against a business associate or covered entity under the Privacy Rule provisions regarding business associate uses, disclosures, and contracts, if, and only if:
◈ The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities or health activities; and
◈ The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
In other words, OCR will not fine a business associate or a covered entity for the mere failure to have a business associate agreement allowing for use and disclosure of PHI for public health and health oversight purposes. Covered entities and business associates will not be fined, provided the use or disclosure is in good faith, and the covered entity receives the 10-day notification.
Examples of such good faith uses or disclosures covered by this notification include uses and disclosures for or to:
◈ The Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the public health activity purpose of preventing or controlling the spread of COVID-19; and
◈ The Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the public health oversight purpose of overseeing and providing assistance for the healthcare system as it relates to the COVID-19 response.
This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule. In addition, the enforcement discretion does not extend to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For example, business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency
The new Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the COVID-19 public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.
