HHS Relaxes HIPAA Privacy Rule Enforcement for COVID-19 Information Sharing


The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced on April 2, 2020 that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers and their business associates for good faith uses and disclosures of patient information intended to assist the government in its efforts to combat COVID-19.

HHS has already released other pronouncements during this pandemic regarding telehealth remote communications, HIPAA requirements related to telemedicine and expanding benefits for Medicare beneficiaries.

The HIPAA Privacy Rule regulations permit a business associate to use and disclose protected health information (PHI) for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. The Notification of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies as well as state and local health departments access COVID-19-related data, including PHI. In the press release announcing the discretionary enforcement, OCR Director Roger Severino noted that "the Centers for Disease Control and Prevention (CDC), Centers for Medicare & Medicaid Services (CMS), and state and local health departments need quick access to COVID-19-related health data to fight this pandemic."

Business associates who share HIPAA-protected information in good faith during this pandemic are required to inform the covered entity within ten (10) days of the disclosure. As of now, HHS' enforcement discretion will not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.

According to the Federal Register notice, the Notification of Enforcement Discretion will "remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first."

Saul Ewing's lawyers regularly assist health care providers with HIPAA Privacy Rule compliance as well as how to respond to the business and legal challenges posed by the COVID-19 pandemic. For questions about how this guidance affects your practice or company, please reach out to the authors of this article.

Supplemental Materials
Related Topics