COVID-19 Pandemic Results in Easing of HIPAA Enforcement by HHS

It has been announced that the Department of Health and Human Services (HHS) will be easing the sanctioning of penalties in relation to specific data privacy breaches during the COVID-19 pandemic.

The Notice of Enforcement Discretion applies to breaches of the HIPAA Privacy Rule by healthcare providers and their business associates for good-faith disclosures of protected health information for public health purposes during the current health crisis.

The HIPAA Privacy Rule states that business associates of HIPAA-covered entities are only permitted to share protected health information for specific reasons detailed in their business associate agreement (BAA) with a HIPAA-covered entity. The temporary Notice of Enforcement Discretion states that the OCR will not sanction penalties in relation to the disclosure of protected health information if the business associate makes good-faith uses or disclosures for public health activities and informs the covered entity of the use or disclosure within 10 business days.

The announcement was made last week to improve data sharing with public health agencies such as the Centers for Medicare and Medicaid Services (CMS) and the Centers for Disease Control and Prevention, as they require access to COVID-19 related data which may include protected health information to achieve their objectives.

In relation to the move, OCR director Roger Severino commented: “The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.

OCR explained that the Notice of Enforcement Discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules.

Sanctions and penalties will not be imposed on covered entities that do not comply with the following provisions of the HIPAA Privacy Rule, as of March 15, 2020:

• All requirements to obtain a patient’s permission to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• All requirements to respect a request to opt out of the facility directory. See 45 CFR 164.510(a).
• All requirements to share a notice of privacy practices. See 45 CFR 164.520.
• The right to request privacy restrictions for a patient. See 45 CFR 164.522(a).
• The right to request confidential communications oi a patient. See 45 CFR 164.522(b).

The Notice of Enforcement Discretion will remain in effect for the duration of the COVID-19 public health emergency or until the HHS Secretary declares the public health emergency is over.

OCR Director Roger Severino also stated: “HHS is committed to leaving no one behind during an emergency, and this guidance is designed to help health care providers meet that goal. Persons with disabilities, with limited English skills, or needing religious accommodations should not be put at the end of the line for health services during emergencies. Our civil rights laws protect the equal dignity of every human life from ruthless utilitarianism.”