The Department of Health and Human Services (HHS) announced on April 2 that HHS is exercising its enforcement discretion to permit business associates to use and disclose protected health information (PHI) for public health and health oversight purposes in accordance with HIPAA, even where not permitted by the applicable business associate agreement (BAA). See Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (Notification).
Specifically, HHS’ Notification states it will not take enforcement action against business associates – or the applicable covered entities – for uses and disclosures by business associates for public health and health oversight activities during the duration of the COVID-19 public health emergency if the business associate follows these parameters:
Absent this enforcement discretion, the HIPAA Privacy Rule would only permit a business associate to use and disclose PHI for public health and health oversight purposes if expressly permitted by its BAA with a HIPAA covered entity. This would mean that many business associates would need to amend their BAAs with applicable covered entities before disclosing PHI to a public health authority or health oversight agency or performing data analytics for public health purposes related to the COVID-19 public health emergency. The process of amending a BAA takes time and would result in some business associates being “unable to timely participate” in efforts by public health and health oversight agencies, per the HHS Notification.
To try to alleviate this issue, the Notification permits business associates to make these uses and disclosures without amending the BAAs, subject to the requirements above. A more detailed summary of HIPAA’s exceptions for using and disclosing PHI for public health and health oversight activities follows.
HIPAA permits the use and disclosure of PHI for certain public health activities, including to the following:
HIPAA permits the disclosure of PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
“Health oversight agency” is defined to include a federal, state, or local government agency authorized by law to oversee the public and private health care system or government programs in which health information is necessary for determining eligibility or compliance, or to enforce civil rights laws for which health information is relevant. The definition includes the employees, agents, contractors, persons or entities acting under a grant of authority of such public agency. 45 C.F.R. § 164.501. Examples of health oversight agencies, in addition to CMS, can include for example, state Departments of Insurance, state Medicaid agencies, and state licensing boards for health care providers. See examples of “health oversight agencies” provided in HHS, Permitted Uses and Disclosures: Exchange for Health Oversight Activities (2017), released by HHS several years ago.
This Notification does not waive any other HIPAA requirements (including the requirements of the HIPAA Security Rule and Breach Notification Rule) or any requirements of other federal or state laws. This enforcement discretion begins immediately and will last until the Secretary of HHS declares the public health emergency is over or upon the expiration of the declared public health emergency, whichever occurs first.
For more information, please contact your Foley relationship partner or the Foley colleagues listed below. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the websites of the CDC and the World Health Organization.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.