Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities

On April 2, 2020, the Department of Health and Human Services announced that with immediate effect, it will be exercising enforcement discretion and will not impose sanctions or financial penalties against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until the Secretary of the HHS declares the public health emergency no longer exists.

The Notice of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require timely access to COVID-19 related data.

While disclosures of PHI by HIPAA-covered entities for public health and health oversight purposes are permitted under the HIPAA Privacy Rule, currently business associates of HIPAA covered entities are only permitted to disclose PHI for public health and health oversight purposes if it is specifically stated that they can do so in their business associate agreement with a HIPAA covered entity. Without the Notice of Enforcement discretion, business associates could face financial penalties for disclosures of PHI for public health and health oversight purposes.

The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only for a good faith use or disclosure of PHI for public health activities by a business associate for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d). The business associate must inform the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure occurred.

The Notice of Enforcement Discretion does not apply to any other provisions of HIPAA Rules and the HIPAA Security Rule remains in effect. Should PHI be disclosed to a public health authority or health oversight agency, the business associate must ensure the requirements of the HIPAA Security Rule are met and reasonable safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI and that the information is transmitted in a secure manner.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” explained OCR Director, Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

You can view the OCR Notice of Enforcement Discretion on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.