OCR issues notification of enforcement discretion for business associates in response to COVID-19 pandemic
by Rick Kuwahara COO of Paubox
The Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to allow Business Associates more leeway in good faith uses and disclosures of protected health information (PHI) during the national public emergency caused by COVID-19.
Effective immediately, the Notification states that the OCR will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against healthcare providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities.
This announcement is inline with the earlier limited waiver of HIPAA sanctions announced in mid-March.
The end goal of both announcements is to make sure the flow of PHI to help quickly treat patients is not hindered by HIPAA regulations, as long as it is done in good faith.
This is especially true when Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers may quickly need access to COVID-19 related data, including PHI.
The HIPAA Privacy Rule already permits covered entities to provide this data, and the Notification now permits business associates to also share this data without risk of a HIPAA penalty.
Takeaways for Business Associates
The Notification does not eliminate the HIPAA Privacy Rule, but just gives OCR leeway in how it enforces it.
That means Business Associates still need to adhere to the HIPAA Privacy Rule in the vast majority of situations, with the only exception being in assisting public health and health oversight activities during the COVID-19 nationwide public health emergency.
It also means that fines and enforcement may still occur during activities, so Business Associates should still be safeguarding PHI as much as possible.
The full notification can be found here.
OCR also created a web page with its COVID-19 updates here.
See Related: HIPAA Compliant Email: The Definitive Guide