HHS relaxes restrictions on HIPAA Privacy Rule for COVID-19 information sharing

The U.S. Department of Health and Human Services (HHS) announced on April 2 that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule related to novel coronavirus (COVID-19) information sharing.

During the COVID-19 emergency, covered entities and business associates will not face penalties when business associates use or disclose protected health information (PHI) for public health and health oversight activities.

Currently, the HIPAA Privacy Rule permits a business associate to use and disclose PHI to conduct certain activities or provide certain services to or for the healthcare organization, but only under the terms outlined in a business associate contract or another written agreement with the covered entity.

According to HHS, federal public health authorities and other health agencies have requested PHI from business associates or requested that the business associates perform data analytics on the PHI for public health purposes throughout the COVID-19 emergency. In some cases, the business associates have been unable to provide the information because their business associate agreements do not expressly permit such disclosures of PHI.

Going forward, the Office for Civil Rights will exercise enforcement discretion in such cases and will not impose penalties if the business associate makes “a good faith use or disclosure” of the PHI for public health activities and the business associate informs the covered entity of the disclosure within 10 calendar days.

Examples of good faith uses include disclosures to the Center for Disease Control and Prevention or similar public health authorities at the state level, as well as disclosures to CMS or state-level health oversight agencies. All such disclosures should be made for the purpose of providing assistance to the healthcare system as it relates to the COVID-19 public health emergency.