On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty.Healthcare entities should review the five-page notification, as the enforcement discretion gives breathing room to business associates to assist public health agencies to respond to the COVID-19 outbreak. Still, this notification should not be looked at as a free pass on all aspects of HIPAA compliance.

OCR noted that federal, state and local public health authorities and health oversight agencies have requested PHI from HIPAA business associates or data analytics of such PHI as part of the virus response, but that some business associates were unable to assist due to HIPAA concerns. Thus, to facilitate the public health response, OCR will exercise its enforcement discretion if:

  • the business associate makes a “good faith use or disclosure” of the covered entity’s PHI for public health activities and health oversight activities [emphasis added]; and
  • the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to uses or disclosures that are ongoing.

The notification makes specific reference to such public health authorities as the CDC, state and local health departments and CMS (or similar oversight agency at the state level). Importantly, OCR expressly states that this enforcement discretion “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.” Thus, business associates must maintain compliance with the HIPAA Security Rule and take safeguards to ensure confidentiality and secure transmission of ePHI to any request from a public health authority. And, to be sure, this notification does not change the restrictions around the disclosure of PHI to non-government entities.

 

Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.