Health Law Daily OCR exercises enforcement discretion for potential violations of use, disclosure of PHI
News
Friday, April 3, 2020

OCR exercises enforcement discretion for potential violations of use, disclosure of PHI

By Susan L. Smith, JD, MA

During the COVID-19 nationwide public health emergency, the HHS Office of Civil Rights will not impose potential penalties against covered health care providers or their business associates for possible violations of certain provisions of the HIPAA Privacy Rule related to uses and disclosures of protected health information.

Due to the COVID-19 nationwide public health emergency, the HHS Office of Civil Rights (OCR) is applying its enforcement discretion to certain general and organizational use and disclosure requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (P.L. 104-191). Effective immediately, OCR will not impose potential penalties for violations of 45 C.F.R. §§164.502(a)(3),164.502(e)(2), 164.504(e)(4) and 164.504(e)(5) against covered health care professionals (covered entities) or their business associates (BAs) for uses and disclosures of protected health information (PHI) by BAs for public health and health oversight activities if the BAs meet certain conditions. The Notification of Enforcement Discretion, which will be published in the Federal Register on April 7, 2020, will remain in effect until the Secretary determines that the public health emergency no longer exists or when the expiration date of the declared public health emergency, which ever comes first ( see 42 U.S.C.§247d).

BA privacy rule requirements versus requests for PHI. Underthe HIPAA Privacy Rule, a BA of a HIPAA covered entity may use and disclose PHI to conduct certain activities or functions on behalf of the covered entity. In addition, a BA may provide certain services to or for the covered entity pursuant to the explicit terms of its BA agreement (BAA) (see 45 C.F.R. §164.502(e)(2)) or as required by law. During the COVID-19 national emergency, however, federal, state, and local authorities as well as oversight agencies and state emergency operation centers have requested PHI from BAs or requested that BAs perform data analytics on such PHI to ensure the health and safety of the public. Because the BAAs of some BAs do not expressly permit them to use or disclose the data requested, they have not been able to timely respond to the requests being made.

Conditions of application of enforcement discretion. The OCR will not impose penalties against a BA or covered entity for violations only if:

  1. The BA makes a good faith use or disclosure of the covered entity’s PHI for public health activities for the purpose of preventing or controlling the spread of COVID-19 consistent with 45 C.F.R. §512(b); or makes a good faith use or disclosure of the PHI for health oversight activities for the overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with §512(d).
  2. The BA informs the covered entity within 10 calendar days after the use or disclosure occurs or commences for those uses or disclosures that will be repeated over time.

The enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule or obligations under the HIPAA Security and Breach Notification Rules applicable to covered entities and BAs.

MainStory: TopStory NewsStory AgencyNews Covid19 GeneralNews ComplianceNews HIPAANews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Health Law Daily

Health Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More