The Big Picture
On April 2, the U.S. Department of Health and Human Services (HHS) issued a public notice (the Notice) stating that the department will not impose penalties under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on business associates that use or disclose protected health information (PHI) for public health and health oversight activities during the COVID-19 public health emergency. The Notice will be published formally in the Federal Register on April 7 and will take effect immediately.
Current HIPPA Privacy Rule
The HIPAA Privacy Rule permits covered entities such as healthcare providers and health plans to use and disclose PHI for certain public health and health oversight activities.1 Public health activities may include, among other things, reporting communicable diseases to public health authorities, carrying out public health investigations at a public health authority’s request, participating in certain prescription drug monitoring activities and notifying a person exposed to a communicable disease if authorized to do so by law. Health oversight activities may include disclosing PHI to a health oversight agency carrying out audits, investigations, inspections, licensure or disciplinary actions, proceedings, or other activities necessary for appropriate oversight of the healthcare system, government benefit programs, other health regulatory schemes and civil rights laws.
Business associates may also use and disclose PHI for public health and health oversight activities, but only if permitted under their business associate agreements with covered entities.2 According to HHS, since the COVID-19 pandemic began, state and federal public health authorities, emergency operations centers and other government agencies have been unable to obtain PHI or data analytics from certain business associates relating to COVID-19 because the business associate agreements of those entities do not permit such uses or disclosures.
Scope of the Enforcement Discretion
The Notice states that HHS will exercise its enforcement discretion by not imposing penalties under HIPAA for the use or disclosure of PHI by a business associate for public health or health oversight activities, even if the applicable business associate agreement does not authorize the business associate to do so. Enforcement discretion will be contingent on two conditions:
- The business associate’s use or disclosure of PHI for public health or health oversight must be in “good faith.”
- The business associate must notify the relevant covered entities within ten days of the use or disclosure.
The Notice cites disclosures to the Centers for Disease Control and Prevention and the Centers for Medicare & Medicaid Services as examples of good faith disclosures.
Limits to the Enforcement Discretion
The Notice does not waive penalties under the HIPAA Security Rule or other state or federal laws. Notably, the Notice states expressly that it does not insulate business associates from breach of contract claims.
The exercise of enforcement discretion is not a waiver. The HIPAA provisions addressed in the Notice are not waivable under Section 1135 of the Social Security Act. However, the Notice should provide business associates with similar protection, much like the recent notice issued by HHS indicating the department’s intent to exercise enforcement discretion with respect to the use of FaceTime and similar platforms for telehealth visits.
The Notice will remain in effect until the secretary of HHS declares that the public health emergency no longer exists or upon the expiration date of the declared public health emergency (as determined by 42 U.S.C. 247d), whichever occurs first.
1 45 CFR 164.512(b) and (d).
2 45 CFR 164.502(e)(2).