HHS won't enforce penalties for violations of certain provisions of the HIPAA privacy rule against healthcare providers or their business associates for good-faith disclosures of protected health information for public health purposes during the COVID-19 emergency.
The HHS Office for Civil Rights said Thursday that it was exercising its enforcement discrimination in making the policy change during the declared emergency period. The notification was issued to support federal and state agencies, including the CMS and the Centers for Disease Control and Prevention, that need access to COVID-19 related data including protected health information.
"The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic," OCR director Roger Severino said in a statement. "Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives."
HIPAA's privacy rule only allows business associates of HIPAA-covered entities to disclose protected health information for certain purposes under explicit terms of a written agreement.
Under the temporary enforcement waiver, OCR won't impose penalties for disclosure of protected health information if the business associate makes good-faith use or disclosure for public health activities and informs the covered entity within 10 business days.
This enforcement moratorium does not extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and breach notification rules, OCR said.
Modern Healthcare is providing some COVID-19 coverage for free as a public service and a show of gratitude for the frontline workers. Support essential journalism. Please subscribe here.