Business Associates Cleared to Make ‘Good Faith’ Disclosures of PHI
In the latest move to relax certain HIPAA requirements during the COVID-19 crisis, federal regulators Thursday paved the way for business associates to share protected health information for public health-related activities during the pandemic.
The Department of Health and Human Services’ Office for Civil Rights, the agency that enforces HIPAA, outlined the new policy in a statement issued Thursday. OCR will now exercise “enforcement discretion” for violations of certain provisions of the HIPAA Privacy Rule involving “good faith” uses and disclosures of protected health information by business associates for public health-related activities during the crisis.
The move was made because of the urgent need for access to COVID-19 data by federal public health authorities and health oversight agencies, including the Centers for Disease Control and Prevention and Centers for Medicare and Medicaid Services, as well as state and local health departments and state emergency operations centers, OCR says.
“The HIPAA Privacy Rule already permits covered entities to provide this data, and today’s announcement now permits business associates to also share this data without risk of a HIPAA penalty,” OCR says.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” Roger Severino, OCR director, said in the statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
Thursday’s notice of HIPAA enforcement discretion is OCR’s latest move in recent weeks to ease certain HIPAA requirements during the coronavirus outbreak.
On March 17, OCR issued immediate limited waivers of certain HIPAA privacy provisions aimed at helping improve patient care and information sharing. For example, providers are now allowed to offer telehealth services through certain video chat applications.
The latest moves related to business associates “are designed to clearly permit certain currently desirable activities, similar to what they did on telehealth,” he says. “It wasn’t clear to me that BAs couldn’t already make some of these disclosures, but this particular step seems reasonably tailored to a specific need. I don’t see any significant risk that a BA would abuse this situation.”
But privacy attorney David Holtzman of the security consultancy CynergisTek says OCR’s latest HIPAA action will allow business associates to supply government agencies – and their contractors – PHI from HIPAA covered entities without first notifying those entities. “The HIPAA covered entity may only learn of the disclosure if the business associate provides a notice later,” he adds.
‘Good Faith’ Activities
OCR says examples of good faith business associate activities covered by its notice of enforcement discretion include uses and disclosures of PHI to:
- CDC, or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19;
- CMS, or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the healthcare system as it relates to the COVID-19 response.
“This enforcement discretion does not extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and breach notification rules applicable to business associates and covered entities,” OCR points out.
“Business associates remain liable for complying with the security rule’s requirements to implement safeguards to maintain the confidentiality, integrity and availability of electronic PHI, including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. “
Beware of Risks
Holtzman advises healthcare entities to take certain steps in light of the latest OCR moves.
“Covered entities should contact their data service providers to ensure that they have appropriate information security safeguards to assemble and transmit PHI sought by government affiliated public health agencies or organizations,” he says. “They should also confirm that there is a process in place for transmitting notices when there has been a use or disclosure of PHI as a result of a request made directly to the business associate.”
Covered entities also should “take steps to ensure that they receive a timely and complete accounting of what data was disclosed, who was the recipient of the PHI, and what was the purpose of the disclosure,” Holtzman adds.
The process by which data service providers that are HIPAA business associates receive inquiries from government agencies asking for their collection of PHI about coronavirus patient testing and treatment poses significant risk that the data will fall into the wrong hands, he warns. “As we have seen throughout the response to the COVID-19 pandemic, there is not a coordination in the collection or reporting of public health data,” he points out.
Meanwhile, he notes, “hackers have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations and cloud based data processors.” For instance, phishing attacks have spoofed communications from the CDC and other agencies.