COVID-19: HHS Permits Business Associates to Use and Disclose PHI for Public Health and Health Oversight Purposes Without Amending BAAs

03 April 2020 Blog
Authors: Jennifer J. Hennessy
Published To: Coronavirus Resource Center:Back to Business Health Care Law Today

The Department of Health and Human Services (HHS) announced on April 2 that HHS is exercising its enforcement discretion to permit business associates to use and disclose protected health information (PHI) for public health and health oversight purposes in accordance with HIPAA, even where not permitted by the applicable business associate agreement (BAA). See Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (Notification).

Specifically, HHS’ Notification states it will not take enforcement action against business associates – or the applicable covered entities – for uses and disclosures by business associates for public health and health oversight activities during the duration of the COVID-19 public health emergency if the business associate follows these parameters:

  • The use or disclosure is a good faith use or disclosure for public health activities or health oversight activities consistent with HIPAA’s requirements for such uses and disclosures at 45 C.F.R. § 164.512(b) and (d), and outlined in more detail below. Examples in the Notification include disclosures to (i) the CDC or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, or (ii) CMS, or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to a COVID-19 response; and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, if the use or disclosure will repeat over time). 

Absent this enforcement discretion, the HIPAA Privacy Rule would only permit a business associate to use and disclose PHI for public health and health oversight purposes if expressly permitted by its BAA with a HIPAA covered entity. This would mean that many business associates would need to amend their BAAs with applicable covered entities before disclosing PHI to a public health authority or health oversight agency or performing data analytics for public health purposes related to the COVID-19 public health emergency. The process of amending a BAA takes time and would result in some business associates being “unable to timely participate” in efforts by public health and health oversight agencies, per the HHS Notification. 

To try to alleviate this issue, the Notification permits business associates to make these uses and disclosures without amending the BAAs, subject to the requirements above. A more detailed summary of HIPAA’s exceptions for using and disclosing PHI for public health and health oversight activities follows.

Public Health Activities

HIPAA permits the use and disclosure of PHI for certain public health activities, including to the following:

  • A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, including, but not limited to, the reporting of disease, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
  • A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; and
  • A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity.

45 C.F.R. § 164.512(b)

Health Oversight Activities

HIPAA permits the disclosure of PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

  • The health care system; 
  • Government benefit programs for which health information is relevant to beneficiary eligibility; 
  • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or 
  • Entities subject to civil rights laws for which health information is necessary for determining compliance. 

45 C.F.R. § 164.512(d).

“Health oversight agency” is defined to include a federal, state, or local government agency authorized by law to oversee the public and private health care system or government programs in which health information is necessary for determining eligibility or compliance, or to enforce civil rights laws for which health information is relevant. The definition includes the employees, agents, contractors, persons or entities acting under a grant of authority of such public agency. 45 C.F.R. § 164.501. Examples of health oversight agencies, in addition to CMS, can include for example, state Departments of Insurance, state Medicaid agencies, and state licensing boards for health care providers. See examples of “health oversight agencies” provided in HHS, Permitted Uses and Disclosures: Exchange for Health Oversight Activities (2017), released by HHS several years ago.

This Notification does not waive any other HIPAA requirements (including the requirements of the HIPAA Security Rule and Breach Notification Rule) or any requirements of other federal or state laws. This enforcement discretion begins immediately and will last until the Secretary of HHS declares the public health emergency is over or upon the expiration of the declared public health emergency, whichever occurs first. 

For more information, please contact your Foley relationship partner or the Foley colleagues listed below. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the websites of the CDC and the World Health Organization

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services