HHS Relaxes Some HIPAA Disclosures for Public Health
Building on the March 2020 notice regarding the decision by the Department of Health and Human Services (HHS) to permit covered entities and their business associates to use certain internet communications services for the transmission of PHI, HHS has issued a notification that it “is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)” (Notification) during the COVID-19 crisis.
The Notification indicates that during the COVID-19 outbreak, HHS will not initiate enforcement actions against covered health care providers or their business associates that use or disclose PHI for public health and health oversight activities. This protection applies even if the business associate was not expressly permitted to disclose PHI in its business associate agreement. (Generally, HIPAA would prohibit such uses and disclosures, potentially subjecting both the covered entity and its business associate to an enforcement action and substantial penalties.) HHS’s announcement appears to have been motivated by delays in receiving COVID-19 related information from business associates concerned about HIPAA prohibitions.
To qualify under the HHS guidance, a business associate must act in good faith in providing PHI, and must inform the covered entity that it has done so within 10 days of the date of use or disclosure. The Notification states that disclosures to the Center for Disease Control and Prevention, for the purpose of slowing the spread of COVID-19, or the Centers for Medicare and Medicaid Services, for the purpose of assisting the healthcare delivery system, would be considered “good faith” disclosures of PHI. This discretionary, non-enforcement position taken by HHS should continue until the expiration of the public health emergency, as determined by HHS or the federal government.
Importantly, the non-enforcement discretion does not extend to other requirements or prohibitions under the HIPAA Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules that are applicable to business associates and covered entities. “For example, business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.”
The Notification is not the first attempt by HHS to lessen privacy restrictions in the wake of the COVID-19 outbreak:
- A February 2020 OCR bulletin provided guidance for permissible disclosures of PHI relating to COVID-19, noting that the Privacy Rule allows covered entities to disclose PHI without a patient’s consent “as necessary to treat the patient or to treat a different patient,” including coordination or management of healthcare and related services. OCR also noted that a covered entity may disclose PHI to anyone “as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public”;
- A March 2020 limited waiver issued by HHS waived certain liability under the Privacy Rule to enable better information-sharing in connection with COVID-19;
- A March 2020 OCR release gave additional guidance for disclosure of PHI related to COVID-19 to law enforcement, paramedics, other first responders and public health authorities without a patient’s consent.
The CARES Act requires HHS to issue, within 180 days, guidance on the sharing of patients’ PHI relating to COVID-19, including compliance under HIPAA.
HHS’s Notification on discretionary non-enforcement expressly states that the notification “creates no legal obligations and no legal rights.” Further, the protection is limited in scope. Among potential concerns is that the Notification would not offer protection against a breach of contract action commenced against a business associate for disclosure or use of PHI. Thus, business associates who intend to rely upon the Notification should ensure that their compliance team considers contractual obligations, business issues, and coordination with operations in addition to regulatory concerns.
If you have any questions or need more information, contact Joshua A. Mooney (firstname.lastname@example.org; 215.864.6345), Stephen Bowers (email@example.com; 215.864.6247), or Richard M. Borden (firstname.lastname@example.org; 212.631.4439).
As we continue to monitor the novel coronavirus (COVID-19), White and Williams lawyers are working collaboratively to stay current on developments and counsel clients through the various legal and business issues that may arise across a variety of sectors. Read all of the updates here.