On April 2, 2020, the federal HHS Office for Civil Rights (OCR) announced that, effective immediately, it will not impose penalties against a business associate or covered entity under the HIPAA Privacy Rule for uses and disclosures of protected health information (PHI), even if not explicitly permitted in the Business Associate Agreement, if:
- the business associate makes a “good faith” use or disclosure of the covered entity’s PHI for public health activities and health oversight activities consistent with 45 CFR 164.512; and
- the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
The OCR provided two examples of “good faith” uses or disclosures including to the CDC, CMS, and State health oversight agencies.
Under the HIPAA Privacy Rule, a covered entity may use or disclose PHI if the covered entity believes in good faith that disclosure is necessary to prevent or lessen a serious and imminent threat to the public, including to protect the public from the spread of infectious disease and to ensure health and safety. HIPAA further permits a business associate of a HIPAA covered entity to use and disclose PHI under the same circumstances, but only pursuant to the explicit terms of the Business Associate Agreement or other written arrangement.
Since the beginning of the COVID-19 emergency, Federal public health authorities, health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from both covered entities and business associates, or requested that business associates perform public health data analytics on such PHI, for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency. In response, business associates have expressed an inability to comply because the business associate agreements did not explicitly permit such uses and disclosures.
In the wake of the ongoing national emergency, the clear intent of this new guidance is to allow business associates to disclose requested PHI to a public health agency on behalf of covered entities without the necessity of negotiating permission within the business associate agreement. While this is not a permanent amendment to the law, it does allow some coverage for business associates and contractors as they seek to provide the necessary information to track the developments during the COVID-19 crisis.
For more information regarding this guidance, please contact Eliza Whitworth at 206-447-0423 or firstname.lastname@example.org.
* The final notification has not been finalized or made public. While it is unlikely to change substantially, it could change slightly. The final notification will be supplemented when available.