Relaxation of HIPAA provisions allows increased information sharing between private and public sector entities.
The Office for Civil Rights (OCR) at the U. S. Department of Health and Human Services (HHS) announced on April 2, 2020, that it will exercise its enforcement discretion by not penalizing violations of certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Violations by healthcare providers and their business associates will not be penalized when these violations are “good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.”
- This change in enforcement seems designed to allow business associates of healthcare providers to provide COVID-19 related data to public health authorities and health oversight agencies.
- The language of the Notification by HHS has a certain degree of unspecificity that labs or other entities should take into consideration.
- This move helps to coordinate the public and private sector’s response to the COVID-19 pandemic.
Two examples were described by the HHS. These included:
- The CDC or similar state agency making a disclosure “for the purpose of preventing or controlling the spread of COVID-19.”
- CMS or similar state agency making a disclosure “for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response.”
HHS did not provide any specific scenarios to illustrate these examples.