The United States Department of Health and Human Services (HHS), which oversees enforcement of the Health Insurance Portability and Accountability Act (HIPAA), announced that it will use regulatory discretion to refrain from strictly enforcing compliance with certain provisions of HIPAA in order to give organizations more breathing space in the fight against the spread of Coronavirus.
The HIPAA Privacy Rule permits a business associate, such as a service provider of a HIPAA covered entity, such as a hospital, to use and disclose personal health information only in limited circumstances. These permissions primarily cover the business associate’s performance of activities or functions on behalf of the covered entity under the explicit terms of the agreement with the covered entity.
This month, HHS acknowledged that Federal and state public health authorities may require business associates to conduct further processing or disclosure of personal health information, such as public health data analytics, to promote public health and safety during the COVID-19 emergency. The HHS will use its enforcement discretion and will not impose penalties where a business associate discloses the information in good faith for public health activities, so long as it provides notice to the covered entity of such disclosure within 10 days of disclosure.
The HHS emphasized that business associates remain liable for complying with the requirement to implement safeguards to maintain the confidentiality, integrity, and availability of health information, including by secure transmission of such information to the public health authority or health oversight agency.
CLICK HERE to read the US Department of Health and Human Service’s Statement.