HHS issues notification of enforcement discretion under HIPAA for certain uses and disclosures by business associates
Following declarations of a public health emergency and national emergency arising from the coronavirus disease 2019 (COVID-2019) pandemic, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has issued a notice of enforcement discretion stating that OCR will decline to impose penalties against covered entities or business associates with respect to certain uses and disclosures of Protected Health Information (PHI) by business associates under the Health Insurance Portability and Accountability Act (HIPAA).
The notice follows OCR’s guidance last week addressing permitted disclosures to law enforcement and public health authorities by covered entities. This latest announcement permits business associates to share PHI with public health authorities and health oversight agencies in accordance with certain exceptions under HIPAA as needed to continue COVID-19 relief efforts. The notice was issued and effective April 2, 2020 and is available on the HHS website.
Under normal circumstances, HIPAA permits a business associate of a covered entity to use and disclose PHI for certain services or functions on behalf of the covered entity and only pursuant to the explicit terms of the agreement between the covered entity and business associate or as required by law. These agreements often do not permit a business associate to disclose information or perform analytics on behalf of public health authorities, health oversight agencies, state and local health departments and state emergency operations centers. Under this notice of enforcement discretion, HHS will not impose penalties under the provisions of HIPAA that govern uses or disclosures by a business associate (45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5)) where a business associate makes a good faith use or disclosure of PHI for public health activities or health oversight activities (pursuant to 45 CFR 164.512(b) and 45 CFR 164.512(d) respectively), as long as the business associate informs the covered entity within ten (10) calendar days after the use or disclosure first occurs or commenced (for repeated uses or disclosures). The notice provides examples of such uses or disclosures, such as disclosures to the CDC or state public health entity for purposes of controlling the spread of COVID-19 or disclosures to the Centers for Medicare and Medicaid Services or similar state health oversight agency.
Under the notice, OCR will not impose penalties arising out of any non-compliance with the following list of HIPAA privacy provisions:
- 164.502(a)(3) – prohibiting uses and disclosures of PHI that are not permitted by an applicable business associate agreement or required by law;
- 164.502(e)(2) – requiring business associate agreements with business associates that cover their uses and disclosures of PHI;
- 164.504(e)(1) – requiring specific terms for business associate agreements, including specification of the uses and disclosures of PHI and requiring covered entities and business associates to take reasonable steps to cure a breach of, or terminate, a business associate agreement by a business associate (or subcontractor business associate); and
- 164.504(e)(5) – requiring business associate agreements with subcontractor business associates.
The enforcement discretion does not extend to other applicable provisions of HIPAA, such as the security requirements, including the requirement that any PHI disclosed in good faith to a public health authority be sent by the business associate through a secure transmission. Additionally, the exercise of enforcement discretion does not apply to other state or federal laws that might apply to uses or disclosures of PHI.
The notice is effective as of April 2, 2020 and will remain in effect until the public health emergency declaration expires or the Secretary of HHS determines that the public health emergency no longer exists, whichever occurs first.
If you have any questions regarding these new requirements and their implications, please contact the authors or your DLA Piper relationship attorney.
This information does not, and is not intended to, constitute legal advice. All information, content, and materials are for general informational purposes only. No reader should act, or refrain from acting, with respect to any particular legal matter on the basis of this information without first seeking legal advice from counsel in the relevant jurisdiction.