On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that effective immediately, it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. The notification can be found here.
Why is this further “enforcement discretion” a new thing? Because the HIPAA Privacy Rule already permits covered entities to disclose PHI for public health and as it relates to communicable diseases. It doesn’t permit business associates to do the same, though. However, during the COVID-19 pandemic now BAs may disclose PHI to public health officials or health oversight agencies without fear of being penalized.
What types of Business Associates can disclose PHI?
AKA, Does the OCR “enforcement discretion” apply to you?
Business partner Julia Huddleston and I had to think a bit about what types of business associates would be in a position to disclose PHI under this new relaxing of the rules. We identified several who may be able to make these disclosures:
- Telehealth vendors
- Population health vendors
- Group health plan third party administrators (among others)
That said, business associates will still need to pay attention to disclosures! Enforcement relaxation is not intended to give BAs broad permission to disclose PHI. This disclosure is only to be associated with treating those impacted by COVID-19, reporting where cases are appearing and so forth. Even then, if it is possible, the PHI should be de-identified. At the very least such disclosures need to be kept to the minimum necessary.
During the pandemic, covered entities and business associates have more latitude when it comes to the use and disclosure of PHI. Keep in mind that this is a temporary situation. After the national emergency is lifted, enforcement will resume. This means that business associates will no longer have the latitude to disclose PHI to public health officials and health oversight agencies. The current action is similar to the relaxing of enforcement related to the use of platforms like FaceTime for telehealth. For more information about OCR’s COVID 19 resources click here.
Are your policies & procedures up to the risks of a suddenly extended remote workforce? Now is a great time to double-check how relevant yours are for security standards, device use and more. Please call or email if you need help – and stay safe!