Business Associates Allowed to Disclose PHI in Relation to COVID-19 Public Health and Health Oversight Activities

Last April 2, 2020, the Department of Health and Human Services gave an announcement that is effective immediately. HHS is exercising discretion in enforcement and won’t enforce sanctions or issue financial penalties to healthcare organizations or their business associates with regard to good faith uses and disclosures of protected health information (PHI) for public health and health monitoring activities throughout the COVID-19 public health emergency, or until the public health emergency is declared over by the Secretary of the HHS.

The issuance of the Notice of Enforcement Discretion supports the Federal public health authorities and health oversight institutions, for instance, the Centers for Disease Control and Prevention (CMS), the Centers for Medicare and Medicaid Services (CMS), state and local health divisions, and other emergency operation centers which need quick access to COVID-19 related information.

Although the HIPAA Privacy Rule allows PHI disclosures by HIPAA-covered entities for purposes of public health and health oversight, at present business associates of HIPAA covered entities can only disclose PHI for purposes of public health and health oversight when it is particularly stated in their business associate agreement (BAA) with a HIPAA covered entity. If the Notice of Enforcement discretion was not issued, business associates can suffer financial penalties for disclosing PHI for purposes of public health and health oversight.

The Notice of Enforcement Discretion is applicable to the following HIPAA Privacy Rule Provisions but only for good faith uses or disclosures of PHI in relation to public health activities by a business associate in accordance with 45 CFR 164.512(b), or health monitoring activities in accordance with 45 CFR 164.512(d). A business associate needs to notify the covered entity concerning the use or disclosure of PHi within 10 calendar days.

  • 45 CFR 164.502(a)(3)
  • 45 CFR 164.502(e)(2)
  • 45 CFR 164.504(e)(1) and (5)

The Notice of Enforcement Discretion is not applicable to any other conditions of HIPAA Rules. The HIPAA Security Rule continues to be enforced. When PHI disclosure to a public health authority or health oversight agency occurs, the business associate should make sure that the HIPAA Security Rule requirements are satisfied, There must be reasonable safety measures implemented to protect the confidentiality, availability and integrity of ePHI and information must be transmitted securely.

OCR Director, Roger Severino, stated that the CMS, CDC, including state and local health departments need to have fast access to COVID-19 related health information in order to combat this pandemic. In allowing HIPAA business associates to have more freedom to work and exchange data with public health and oversight institutions, there is better potential to flatten the curve and save people’s lives.

The OCR Notice of Enforcement Discretion can be viewed on this page.