On April 2, 2020, the US Department of Health and Human Services, Office for Civil Rights announced that it will not impose civil money penalties against covered entity health care providers or their business associates for a business associate’s good faith use or disclosure of protected health information for public health and health oversight activities during the Coronavirus (COVID-19) nationwide public health emergency.
Last month, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) waived its enforcement of particular HIPAA requirements to promote Covered Entity health care providers’ good faith use of telehealth during the COVID-19 pandemic. On April 2, 2020, OCR issued another Notification of Enforcement Discretion to announce that, effective immediately, it will not assess civil money penalties against covered entity health care providers or their business associates for violations of certain HIPAA provisions resulting from good faith uses and disclosures by business associates of protected health information (PHI) for public health and health oversight activities during the Coronavirus (COVID-19) nationwide public health emergency. We summarize below the key elements of the OCR notification and some practical considerations for HIPAA business associates.
According to OCR, federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS); state and local health departments; and state emergency operations centers, have recently requested business associates to either share PHI with them or perform analytics on PHI to support COVID-19 mitigation and response efforts. The HIPAA Privacy Rule, however, often impedes the ability of business associates to timely use and share PHI for public health and health oversight activities related to COVID-19.
The Privacy Rule only allows a business associate to use and disclose PHI for purposes expressly set forth in its business associate agreement (BAA) with a covered entity or as required by law. Absent a legal requirement, a business associate cannot disclose PHI to a public health authority, for instance, if the disclosure is not permitted or required under its BAA with the covered entity and made on the covered entity’s behalf. Likewise, a business associate cannot use PHI to perform data analytics for public health purposes unless permitted to do so by its BAAs with covered entities.
OCR explains that some business associates have been unable to share and analyze PHI in the context of COVID-19 public health and oversight activities “because their BAAs do not expressly permit them to make such uses and disclosures of PHI.” Consequently, OCR is temporarily suspending its enforcement of several HIPAA Privacy Rule provisions against covered entity health care providers and their business associates in an effort to facilitate speedy information-sharing and cooperation with public health and health oversight agencies. In doing so, OCR seeks to remove regulatory barriers that can impede more robust and expedient sharing of PHI that could be used to track, control and manage the COVID-19 public health emergency.
OCR’s notification will remain effective until the Secretary of HHS declares that the COVID-19 public health emergency no longer exists or upon the expiration of President Trump’s proclamation of a national emergency—whichever comes first.
Applicability and Scope of OCR’s Enforcement Discretion
OCR’s notification applies to HIPAA enforcement against covered entity health care providers and their business associates. The notification also presumably applies to enforcement against subcontractors (as defined by HIPAA) to which business associates outsource services involving the PHI of covered entity health care providers, as those subcontractors are also business associates under HIPAA.
OCR’s notification does not provide enforcement relief to covered entity health plans or health care clearinghouses. The notification also seemingly does not extend to a business associate’s use and disclosure of PHI that it received or created when delivering services to covered entity health plans or health care clearinghouses.
Pursuant to the notification, OCR will not impose penalties against covered entity health care providers and their business associates for violations of only the following four HIPAA Privacy Rule provisions in connection with the COVID-19 public health emergency (so long as certain conditions, discussed below, are satisfied):
- Business Associates: Permitted Uses and Disclosures, 45 CFR § 164.502(a)(3)) (stating, in relevant part, that a business associate may use or disclose PHI only as permitted or required by its BAA or required by law, and cannot use or disclose PHI in a manner that would violate HIPAA if done by a covered entity)
- Disclosures to Business Associates: Documentation, 45 CFR § 164.502(e)(2) (requiring covered entities and business associates to enter into written BAAs with their business associates and subcontractors, respectively, that meet the requirements for BAAs set forth in the HIPAA Privacy Rule)
- Business Associate Contracts, 45 CFR § 164.504(e)(1) (requiring covered entities BAAs with their business associates to meet the content requirements set forth in the HIPAA Privacy Rule)
- Business Associate Contracts with Subcontractors, 45 CFR § 164.504(e)(5) (requiring business associates’ BAAs with their subcontractors to meet the content requirements for BAAs set forth in the HIPAA Privacy Rule).
OCR cautions that the notification does not extend enforcement relief to a covered entity’s or business associate’s obligations under other HIPAA Privacy Rule provisions, the HIPAA Security Rule or the HIPAA Breach Notification Rule.
Conditions of OCR’s Enforcement Discretion
In the notification, OCR sets forth two conditions that must be met before a covered entity health care provider or business associate can benefit from enforcement relief with respect to the four HIPAA Privacy Rule provisions listed above:
- The business associate’s use or disclosure of the covered entity health care provider’s PHI must be made in good faith for public health activities or health oversight activities consistent with the HIPAA Privacy Rule at 45 CFR §§ 164.512(b) and 164.512(d); and
- The business associate must inform the covered entity health care provider of such use or disclosure no later than 10 calendar days after the use or disclosure occurs or commences.
OCR notes that good faith uses or disclosures of PHI for COVID-19 public health or oversight include, for example, uses and disclosures for or to (1) the CDC or a similar state-level public health authority for the purpose of preventing or controlling the spread of COVID-19, and (2) CMS or a similar state-level health oversight agency for the purpose of overseeing and assisting the health care system in relation to COVID-19 response efforts.
Considerations for Business Associates
OCR’s notification provides regulatory comfort to business associates of covered entity health care providers that have understandably been hesitant to use or share PHI for public health and oversight activities related to COVID-19. Before embarking on such uses or disclosures, however, business associates should consider the following:
- Breach of Contract and Civil Liability Considerations. Although business associates that act in compliance with OCR’s notification are inoculated from regulatory enforcement, they could still face breach of contract or other civil claims if their actions under the notification violate the terms of their agreements with applicable covered entity health care providers. For instance, a business associate that uses the PHI of patients who tested positive for COVID-19 to create de-identified data for a public health authority may be in material breach of its contract with a health care provider if the contract prohibits or restricts de-identification activities. Business associates should consider the likelihood of such claims based on their customer contracts and relationships.
- Customer Relations. Covered entity health care providers may bristle at a business associate’s disclosure of their PHI to public health authorities or health oversight agencies without first being consulted about the disclosure. Although the notification does not require business associates to notify covered entity health care providers until 10 days after a public health or health oversight disclosure, business associates should develop an appropriate customer communications strategy. For example, a business associate may preemptively notify all or a strategically important subset of covered entity health care provider customers that the business associate intends to participate in these activities, and open a line of communication with customers related to the same.
- Minimum Necessary Standard. OCR’s notification does not relieve a business associate of its obligation to make reasonable efforts to use and disclose the minimum amount of PHI necessary to accomplish an intended purpose. Business associates should apply the Privacy Rule’s “minimum necessary” standard to limit the amount of PHI used and disclosed for the public health and oversight purposes described in the notification.
- Other Applicable Federal or State Privacy Laws. A Business associate should evaluate whether the uses or disclosures discussed in the notification may run afoul of other applicable federal or state health information privacy laws, such as 42 CFR. Part 2 or state laws governing the confidentiality of sensitive categories of health information.
- Security Safeguards. OCR has not waived its enforcement of the HIPAA Security Rule against business associates that use and disclose PHI for public health and oversight in connection with COVID-19. A business associate should ensure that it applies reasonable and appropriate technical, administrative and physical safeguards to protect any electronic PHI used or disclosed for such public health and oversight activities. OCR recommends, for instance, that a business associate ensure that it securely transfers any electronic PHI to a public health authority or health oversight agency.
- Breach or Incident Notification. In the event that a business associate suffers a breach of unsecured PHI, unauthorized use or disclosure, or security incident involving PHI it is processing for COVID-19 public health or oversight activities, the business associate may have reporting obligations under the HIPAA Breach Notification Rule and applicable BAAs with covered entity health care providers.
- Accounting of Disclosures. A business associate that discloses PHI to a public health authority or health oversight agency should document such disclosure to enable the covered entity health care providers to comply with patients’ requests for accountings of disclosures of their PHI. The business associate’s 10-day notice to the covered entity health care providers required by the notification may be insufficient to comply with any BAA provisions requiring the business associate to maintain documentation relevant to an accounting of disclosures, particularly if the business associate did not provide written notice to the health care provider concerning the disclosure.