In light of the rapidly changing coronavirus (COVID-19) situation, Troutman Sanders and Pepper Hamilton have postponed the effective date of their previously announced merger until July 1, 2020. The new firm – Troutman Pepper – will feature 1,100+ attorneys across 23 U.S. offices. Read more.


Insight Center: Publications

HHS to Exercise Enforcement Discretion Over HIPAA Privacy Rule for PHI Disclosures by Business Associates

Client Alert

Authors: Sharon R. Klein, Jan P. Levine, Alex C. Nisenbaum, Erin S. Whaley and Karen H. Shin

HHS to Exercise Enforcement Discretion Over HIPAA Privacy Rule for PHI Disclosures by Business Associates

On April 2, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that, effective immediately, it will exercise its enforcement discretion over certain provisions of the HIPAA Privacy Rule by not imposing penalties on health care providers or their business associates that use and disclosure protected health information (PHI) in “good faith” for public health and health oversight activities during the COVID-19 nationwide public health emergency. OCR’s exercise of enforcement discretion is intended to support federal, state and local health authorities’ access to COVID-19-related data, including PHI.

The HIPAA Privacy Rule allows a business associate of a HIPAA-covered entity to use and disclose PHI to provide certain services for the covered entity or conduct certain activities or functions on behalf of the covered entity, but only pursuant to the express terms of a business associate agreement (BAA) or as required by law. OCR’s announcement suggests that some business associates were unable to assist public health authorities and health oversight agencies in the response to COVID-19 by providing or analyzing PHI because their BAAs did not allow for it.

To enable business associates to participate in these activities, OCR stated it will not impose penalties against a business associate or covered entity for the violation of the following HIPAA Privacy Rule provisions:

  • 45 C.F.R. 164.502(a)(3) – the requirement that a business associate only use or disclose PHI as permitted or required by its BAA or other arrangement or as required by law

  • 45 C.F.R. 164.502(e)(2) – the requirement that covered entities obtain in writing satisfactory assurances from the business associate to appropriately safeguard the PHI disclosed by the covered entity, and the same requirement for the business associate and its subcontractor(s)

  • 45 C.F.R. 164.504(e)(1) and (5) – the requirements of a BAA.

However, the following conditions must be met:

  • the business associate must make a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 C.F.R. 164.512(b), or health oversight activities consistent with 45 C.F.R. 164.512(d)

  • the business associate must inform the covered entity within 10 calendar days after the use or disclosure occurs (or commences with respect to uses or disclosures that will repeat over time).

Examples of “good faith uses or disclosures” include uses and disclosures for or to the Centers for Disease Control and Prevention, the Centers for Medicare and Medicaid Services, or similar public health authorities or health oversight agencies at the state level for the purpose of preventing or controlling the spread of COVID-19 or for overseeing and providing assistance for the health care system as it relates to the COVID-19 response.

This enforcement discretion does not extend to any other requirements or prohibitions under the HIPAA Privacy Rule or the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For instance, business associates must still comply with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. The enforcement discretion also does not address any other applicable state or federal laws, such as breach of contract claims.

This is not the first time HHS has provided limited relief from enforcement of certain provisions of the HIPAA Privacy Rule during the COVID-19 nationwide public health emergency. On March 15, HHS issued a waiver of sanctions for noncompliance with the patient’s right to request privacy restrictions and confidential communications and the requirements to obtain a patient's consent to speak with family members or friends involved in the patient’s care, honor a request to opt out of the facility directory, and distribute a notice of privacy practices. On March 17, the OCR announced it would exercise its enforcement discretion and waive potential penalties for HIPAA Privacy Rule violations related to the use of certain remote communication technologies to provide telehealth services during the pandemic.

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.