On April 2, 2020, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services announced it would not impose penalties for a business associates’ good-faith use and disclosure of protected health information (PHI) in violation of business associate agreement terms for the purpose of public health and health oversight activities.
This comes amid the OCR’s effort to help “flatten the curve” by supporting public health authorities, health oversight agencies, state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI, but who may be unable to do in a timely manner under HIPAA’s normal requirements.
This notification is in addition to the OCR’s announcement in March 2020 that it would forego penalties in connection with the good-faith use of telehealth, which we summarized earlier here. Below we explain what this latest announcement means for providers and other entities responding to requests for PHI during the COVID-19 crisis.
What does the HIPAA Privacy Rule require under normal circumstances?
The OCR enforces certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
Broadly, the HIPAA Privacy Rule protects individuals’ PHI and sets limits on the “uses and disclosures” of PHI that may be made without patient authorization. The Privacy Rule permits a “business associate” of a HIPAA “covered entity” to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity—but only pursuant to the explicit terms of a written agreement often referred to as a “business associate agreement” or “BAA.”
Current regulations allow a HIPAA business associate to use and disclose protected health information to public health authorities for public health and health oversight purposes, but only if it is expressly permitted by its BAA with the HIPAA-covered entity. “Public health authorities” under HIPAA include agencies or authorities of the United States or local government responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. Such examples would include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC), and the Occupational Safety and Health Administration (OSHA), and Centers for Medicare and Medicaid Services (CMS).
What “uses and disclosures” are now permitted by business associates amid COVID-19?
- The business associate makes a good-faith use or disclosure of the covered entity’s PHI for “public health activities” or “health oversight activities” consistent with HIPAA; and
- The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
What are some examples of permissible uses and disclosures amid COVID-19?
- The CDC or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19.
- CMS, or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response.
Are good-faith disclosures limited to COVID-19 infection data?
While the examples of good-faith uses and disclosures covered by the OCR notice are limited to COVID-19, it is unclear whether the data must directly correlate to COVID-19 or whether the disclosure of any data that could broadly be helpful to responding to the COVID-19 crisis would be permitted.
What other HIPAA requirements remain intact?
This enforcement discretion is limited to uses and disclosures for public health and health oversight activities and does not extend to other requirements or prohibitions under the Privacy Rule. Nor does it relax any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. As cautioned in our March alert, the cost of a health information breach goes beyond enforcement penalties and is estimated at $429 per record according to the IBM Security and Ponemon Institute’s 2019 Cost of Data Breach Study.
Business associates remain liable for complying with other applicable portions of the Privacy Rule and the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring its secure transmission to the public health authority or health oversight agency. Further, the OCR’s notification does not address business associates’ contractual obligations (failure to follow BAA terms is still a breach of contract) nor does it eliminate the requirements of other federal or state laws that limit a business associate’s ability to disclose PHI to third parties, even for the public health purposes contemplated here.