The HHS/OCR has issued a notification of enforcement discretion as to allowable uses and disclosures of PHI by business associates (BA) for public health and health oversight activities.
Under current regulations a business associate may only disclose or use PHI for “public health and health oversight purposes” if that allowance is expressly permitted by its business associate agreement with a HIPAA covered entity (CE). Now effective under nationwide public health emergency and OCR enforcement discretion, the BA may disclose or use PHI as needed for public health and health oversight activities if the following requirements are met:
The use or disclosure of PHI by the BA is done in good faith for public health activities consistent with 45 CFR 164.512(b) and health oversight activities consistent with 45 CFR 164.512(d).
The BA advises the CE within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time)
Examples would be uses and disclosures for or to CDC or CMS for purposes of preventing or controlling the spread of COVID-19 or assisting the health care system. For more on 45 CFR 154.512(b) and 45 CFR 164.512(d) click here.
The announcement today states clearly that this enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule or the Security and Breach Notification Rules. BAs must still “protect the confidentiality, integrity, and availability of electronic PHI (ePHI),” including ensuring secure transmission of ePHI to the public health authority or health oversight agency.
This Notification of Enforcement Discretion may be found here.