HHS Suspends Penalties to Encourage Sharing of COVID-19 Data by Business Associates

On April 2, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that, effective immediately, it will be halting enforcement of certain HIPAA provisions in order to enable state and federal public health authorities and emergency operations centers to more efficiently collect COVID-19 patient data directly from regulated service providers in the healthcare industry (Business Associates).

HIPAA currently permits a Covered Entity (e.g., a healthcare provider, health plan, or healthcare clearinghouse) to use or disclose Protected Health Information (“PHI”) for certain purposes relating to public health or health oversight activity, such as disclosures to the CDC, Centers for Medicare and Medicaid Service, or state health agencies or emergency operation centers. 

Normally under HIPAA, a Business Associate of a Covered Entity could only use and disclose PHI for such purposes as explicitly permitted by a Business Associate Agreement (“BAA”). OCR explained that, as part of the nationwide COVID-19 emergency response, federal and state healthcare authorities have been requesting PHI from Business Associates, and Business Associates have even been asked to perform public health data analytics on such PHI (i.e., a use of PHI by the Business Associate). However, many BAAs do not expressly permit a Business Associate to carry out these activities, which has hindered response activities to date.

According to OCR’s recent announcement, a Business Associate can now use or disclose PHI for public health or health oversight activities, even if a BAA does not permit the Business Associate to do so. OCR shall instead “exercise its enforcement discretion and will not impose penalties against a Business Associate or Covered Entity,” but the following two conditions must be met:

1. The Business Associate must make a good faith use or disclosure of the Covered Entity’s PHI for public health activities or health oversight activities consistent with the HIPAA Privacy Rule, and

2. The Business Associate must inform the Covered Entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

OCR also clarified that this change does not impact other responsibilities of Business Associates to safeguard PHI. For example, the Enforcement Discretion Action includes a reminder that Business Associates must ensure that electronic PHI is transmitted securely to any state or federal health authorities.

Announcement from OCR, and a copy of OCR’s Enforcement Discretion Action 4153-01-P (published April 2, 2020).

Morrison & Foerster's Of Counsel Melissa M. Crespo assisted in the preparation of this client alert.