On April 2nd, HHS announced a new “Notification of Enforcement Discretion Under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19” (published in 85 Fed. Reg 193292 (April 7, 2020)).
Government officials charged with tracking the outcomes of infection and deaths caused by COVID-19 likely quickly realized that aggregators of health data – such as EMR/EHR vendors, as well as health information exchanges (HIEs) – could provide them with the largest data set the quickest. However, because many if not most BAAs between healthcare providers and their vendors do not typically include disclosures to public health authorities listed among the “permitted uses” of PHI, this was a barrier to getting at that information. In its Notification, HHS noted:
“Current regulations allow a HIPAA business associate to use and disclose protected health information for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity.”
Thus, they were stuck with the traditionally much slower pathway of getting COVID-19 related data bit-by-bit as health care providers reported such information first to their states’ local public health departments, which in turn reported the data up to their respective state department of health, which then in turn finally reported the data to the appropriate federal health agencies – causing a major lag in receiving that data by several days, or more.
Recognizing the value and pressing need to get at COVID-19 data as quickly as possible, OCR determined that it would not enforce HIPAA against any covered entity (CE) or business associate (BA) where the BA releases PHI related to COVID-19 directly for Public Health purposes or Health Oversight activities during the nationwide public health emergency. However, the following must be complied with:
- the Business Associate makes a good faith use or disclosure of the Covered Entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
- the Business Associate informs each affected covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Examples of such good faith uses or disclosures covered by the Notification include uses and
disclosures for or to:
- Centers for Disease Control and Prevention (CDC), or a similar Public Health Authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b)
- Centers for Medicare and Medicaid Services (CMS), or a similar Health Oversight Agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
HIPAA defined “Public Health Activities” or “Health Oversight Activities” as follows:
“Public Health Authority” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
“Health oversight agency” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system(whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
Permitted disclosures for Public Health Activities includes the following:
(1) Permitted uses and disclosures. A covered entity may use or disclose PHI for the public health activities and purposes described in this paragraph to: (i) A Public Health Authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public [. . .]. see 45 CFR 164.512(b).
Permitted disclosures for Health Oversight Activities includes the following;
(1) Permitted disclosures. A covered entity may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is relevant to beneficiary
eligibility;
(iii) Entities subject to government regulatory programs for which health information is
necessary for determining compliance with program standards; or
(iv) Entities subject to civil rights laws for which health information is necessary for
determining compliance. […] 45 CFR 164.512(d)
It is worth noting that although HHS has indicated it would not pursue HIPAA enforcement action against either a covered entity (CE) or its business associate (BA) if a BA were to release COVID-19 related data directly to a Public Health Authority, that does not necessarily guarantee that a CE might not claim that this is a violation of contract terms between the CE and its BA. After all, the disclosure of COVID-19 data by the BA directly to a Public Health Authority is not a mandatory or required by law disclosure, and so remains discretionary. Under the circumstances, one would think that no CE provider would oppose a BA disclosing such crucial data to the CDC or CMS – or other public health authority or health oversight agency — directly, even if their BAA does not expressly allow for this. However, BAs should remain mindful of potential opposition and could be best off if they engage their CE customers to encourage full cooperation by all parties under these unprecedented circumstances.