The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement discretion – this one relating to business associates. This latest notification allows business associates to use and disclose protected health information (PHI) for public health and health oversight purposes even if not expressly permitted by their business associate agreement.

Due to COVID-19, federal, state and local health authorities have requested that various entities disclose PHI or perform data analytics on PHI to assist in efforts to combat COVID-19. However, some entities that are Health Insurance Portability and Accountability Act (HIPAA) business associates have been constrained by their business associate agreement because it did not permit them to make such uses/disclosures of PHI. To facilitate these efforts, OCR now will not impose penalties on a business associate (or covered entity) where the business associate makes a good-faith use or disclosure of PHI consistent with public health activities and/or health oversight activities.

Covered entities already were permitted to make such public health and health oversight disclosures, without authorization, under existing HIPAA regulations. Now, during the health emergency, those same regulations are essentially extended to business associates.

Examples of good-faith use or disclosures by business associates under this notification include:

  • Disclosures to the Centers for Disease Control and Prevention (CDC) or similar public health authorities for the purpose of preventing or controlling the spread of COVID-19.
  • Disclosures to the Centers for Medicare and Medicaid Services (or a similar state agency) for the purpose of overseeing and providing assistance for the healthcare system related to the COVID-19 response.

Note that to fall within the parameters of this enforcement discretion, the business associate must inform the covered entity within 10 days of the use or disclosure. Nor does this discretion release business associates from other HIPAA requirements, including ensuring secure transmission of any ePHI to the CDC or other public health agencies.