Written By: Margaret Scavotto, MPA and Sarah Badahman, HIPAAtrek
On April 2, 2020, the OCR issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19.
This Notification, effective immediately, announces that the OCR will NOT impose HIPAA penalties against a business associate or covered entity under the following Privacy Rule provisions, in some circumstances. Enforcement is waived for the following Privacy Rule sections:
- 45 CFR 164.502(a)(3): Business Associates: Permitted Uses and Disclosures
- 45 CFR 164.502(e)(2): Disclosures to Business Associations: Documentation
- 45 CFR 164.504(e)(1): Business Associate Contracts
- 45 CFR 164.504(e)(5): Business Associate Contracts with Subcontractors
Enforcement of these sections will not occur in the following circumstances:
- A business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); AND
- The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
If a business associate makes one of these disclosures, and the covered entity and business associate have not had time to update their business associate agreement to allow for such disclosures, OCR will not impose penalties.
An example of how this waiver might apply to you might be:
- If a business associate is contacted by the local public health department and asked questions during a health investigation related to a COVID-19 patient. The business associate will be permitted to disclose information to the public health department. This type of disclosure is not typically permitted, if it is not specifically outlined in the BAA. However, under this waiver, the business associate may disclose the requested information to the public health department. Within 10 days of the disclosure to the public health department, the business associate must inform the covered entity that the disclosure was made.
Business associates are STILL expected to comply with the Security Rule. For example, ePHI must be securely transmitted to the public health authority or health oversight agency.
HIPAAtrek and MPA are here to help navigate and guide HIPAA compliance. Our priority is you – our clients, our healthcare providers, and healthcare administrators. We understand that this is a confusing and scary time. Now more than ever, please reach out with your compliance questions. We are here to help alleviate your compliance burden both now and in the future. Stay healthy.
Sincerely,
Need Guidance? Check out our Business Associate Decision Tree!
Download our decision tree for determining when a BAA is required.