PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates

On April 2, 2020, the Department of Health and Human Services revealed that with immediate effect, it will be applying enforcement discretion and will not impose sanctions or fines against healthcare providers or their business associates for good faith uses and sharing of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until such time as the Secretary of the HHS declares the public health emergency is no longer current.

The Notice of Enforcement Discretion was piublished to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require quick access to COVID-19 related data.

While sharing PHI by HIPAA-covered entities for public health and health oversight reasons are allowable under the HIPAA Privacy Rule, currently business associates of HIPAA covered entities are only permitted to share PHI for public health and health oversight purposes if it is specifically mentioned that they can do so in their business associate agreement with a HIPAA covered body. Without the Notice of Enforcement discretion, business associates could face financial penalties for disclosures of PHI for public health and health oversight reasons.

The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only for a good faith use or disclosure of PHI for public health activities by a business associate for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d). The business associate must inform the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure happened.

The Notice of Enforcement Discretion does not refer to any other provisions of HIPAA Rules and the HIPAA Security Rule remains active. Should PHI be shared to a public health authority or health oversight agency, the business associate must ensure the requirements of the HIPAA Security Rule are met and reasonable security measures are implemented to ensure the confidentiality, integrity, and availability of ePHI and that the information is shared in a secure manner.

OCR Director, Roger Severino said that: “The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

You can read the OCR Notice of Enforcement Discretion on this link.

Author: Maria Perez