OCR issues notification of enforcement discretion for business associates in response to COVID-19 pandemic

Featured image

Share this article

people on empty street social distancing due to covid-19

The Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to allow Business Associates more leeway in good faith uses and disclosures of protected health information (PHI) during the national public emergency caused by COVID-19.

Effective immediately, the Notification states that the OCR will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against healthcare providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities.

This announcement is inline with the earlier limited waiver of HIPAA sanctions announced in mid-March.

The end goal of both announcements is to make sure the flow of PHI to help quickly treat patients is not hindered by HIPAA regulations, as long as it is done in good faith.

This is especially true when Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers may quickly need access to COVID-19 related data, including PHI.

The HIPAA Privacy Rule already permits covered entities to provide this data, and the Notification now permits business associates to also share this data without risk of a HIPAA penalty.

Takeaways for Business Associates

The Notification does not eliminate the HIPAA Privacy Rule, but just gives OCR leeway in how it enforces it.

That means Business Associates still need to adhere to the HIPAA Privacy Rule in the vast majority of situations, with the only exception being in assisting public health and health oversight activities during the COVID-19 nationwide public health emergency.

It also means that fines and enforcement may still occur during activities, so Business Associates should still be safeguarding PHI as much as possible.

The full notification can be found here.

OCR also created a web page with its COVID-19 updates here.

See Related: HIPAA Compliant Email: The Definitive Guide

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022