HIPAA and Compliance News

OCR Permits Business Associates to Share Patient Data During COVID-19

A new enforcement discretion by OCR will allow business associates to share PHI with public health authorities in good faith, without fear of an OCR penalty for HIPAA noncompliance.

OCR covid-19 coronavirus HIPAA compliance good faith protected health information patient data sharing business associate agreements

By Jessica Davis

- The Office for Civil Rights will waive penalties for HIPAA noncompliance against providers or business associates over the good faith use and disclosure of protected health information during the Coronavirus, or COVID-19 pandemic.

According to the notice, the enforcement discretion was driven by the need to provide Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention, with support and protected health information during the crisis.

Under HIPAA, covered entities are already allowed to share this information with those entities.  However, HIPAA business associates are only allowed to use and disclose protected health information for public health and health oversight purposes, only if expressly outlined in its business associate agreement with the covered entity.

With the new enforcement direction, now business associates are permitted to do the share this data in the same manner without explicit permission in the BAA and without the risk of a HIPAA penalty from OCR.

Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have reportedly struggled to receive timely protected health information related to the pandemic from business associates, as the BAA does not expressly allow those disclosures.

The goal of the discretion is to improve response to these requests and requests to perform public health data analytics on such PHI to protect public health and safety during the national emergency.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic," said OCR Director Roger Severino, in a statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives."

Under the enforcement discretion, a business associate is permitted to use and disclose PHI for public health and health oversight activities during the pandemic in several situations. To start, use and disclosure of the covered entity’s PHI must be made in good faith for public health activities or health oversight activities.

The business associate will also be required to inform the covered entity of the use and disclosure within 10 calendar days of the activity. If the activity is ongoing, the 10-day-timer begins at the start of the activity that will repeat over time.

Such activity can include sharing the data with CDC or a similar public health authority to help prevent or control the spread of the Coronavirus. The discretion also includes sharing data with CMS or similar health oversight agencies to assist with oversight and assistance with the healthcare sector related to the COVID-19 response.

“This enforcement discretion does not extend to other requirements or prohibitions under [HIPAA], nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities,” the notice reads.

“For example, business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency,” it concluded.

Overall, the Department of Health and Human Services has made similar adjustments to enforcement during the pandemic. HHS issued a waiver of HIPAA sanctions for some activities, including the need to secure patient consent before sharing information with family about the patient’s care.

OCR has also lifted penalties for telehealth use during the pandemic, in an effort to ensure timely, safe access to care during the pandemic.