04/16/2020

OCR Issues Additional Waivers of HIPAA Enforcement Discretion

The waivers are in response to COVID-19

In response to the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) has issued a variety of notices, bulletins, and other guidance over the past two months to assist healthcare providers and others in the healthcare industry in the fight to minimize the spread of COVID-19. In our alert dated March 19, 2020, we discussed OCR's notification that it will exercise enforcement discretion and waive HIPAA penalties against covered healthcare providers for their good faith provision of telehealth services during the COVID-19 public health emergency. Last week, OCR issued two additional notices in which it exercises further enforcement discretion by waiving HIPAA penalties during the emergency, which are summarized below.

Business Associate Disclosures for Public Health and Health Oversight Activities
Under HIPAA, Covered Entities are permitted to use and disclose Protected Health Information (PHI) in connection with certain public health and health oversight activities pursuant to 45 C.F.R. § 164.512(b) and 45 C.F.R. § 164.512(d), respectively. Business Associates, on the other hand, are limited by HIPAA and the terms of their Business Associate Agreements (BAAs) with Covered Entities with respect to the uses and disclosures of PHI that they may undertake. While Business Associates are permitted under their BAAs to use and disclose PHI to conduct certain activities or functions on behalf of Covered Entities or provide services to Covered Entities pursuant to their service agreements, these agreements may not contemplate the types of disclosures that Business Associates are being asked to make in connection with the country's response to the COVID-19 emergency.

Thus, on April 2, 2020, OCR announced that it will not impose penalties for noncompliance with HIPAA's limitations on the purposes for which a Business Associate may use and disclose PHI, where a Business Associate makes a good faith use or disclosure of a Covered Entity's PHI for public health activities consistent with 45 C.F.R. § 164.512(b) or health oversight activities consistent with 45 C.F.R. § 164.512(d), provided that the Business Associate informs the applicable Covered Entity that PHI has been disclosed within ten (10) calendar days after the use or disclosure occurs or commences.

Please select this link to read the complete article from Venable, LLP.