How to share PHI without violating HIPAA – OCR relaxes PHI laws for business associates

Business associates too can help fight against COVID-19 – No penalties for sharing PHI.

HHS Office of Civil Rights (OCR) has relaxed the HIPAA laws for business associates too; allowing the business associates of a covered entity to join the fight against the COVID-19 pandemic. 

Currently, business associates are allowed to use and share PHI only as per the terms defined in their Business Associate Agreements with covered healthcare providers. As per the HIPAA Privacy rule, business associates can use or disclose PHI only to conduct work on behalf of the covered entity, or provide services to or for the covered entity, or as required by law. 

The enforcement directive issued on April 2nd permits business associates to use and disclose patient information for public health and health oversight purposes to support COVID-19 response. 

This could help support the ongoing efforts to reduce the loss of lives to the COVID-19 disease. Federal, state, and local health authorities and oversight agencies can now get quick access to COVID-19 related data held by business associates. 

Ensure quick access to COVID-19 patient data

The HIPAA privacy rule already allows covered healthcare providers to share the COVID-19 related health data with health authorities and oversight agencies. However, the participation of business associates was being constrained because of their business associate contract obligations under HIPAA.

Some business associates were unable to help in the COVID-19 efforts in a timely manner as their business associate contracts didn’t explicitly permit them to do so. 

As per the OCR Director, Roger Severino, this new enforcement directive would help the federal, state and local health departments to get quick access to COVID-19 patient data and would increase the cooperation and information exchange between public health and oversight agencies and HIPAA business associates.

Enforcement discretion 

The enforcement directive promises that the OCR will exercise enforcement discretion, effective immediately, and will not penalize business associates or their covered entities for the violation of HIPAA Privacy rule for the good faith use and disclosure of COVID-19 related data for public health and health oversight activities. 

Limitations of the enforcement discretion

The OCR enforcement discretion is subjected to the limitations listed below. Business associates must be careful of these parameters and conditions when using or sharing the PHI of a covered entity. All instances otherwise can still attract penalties. 

Business associates can make a good faith use or disclosure of the PHI ONLY IF

  1. The uses or disclosures are for public health purposes, such as for preventing or controlling the spread of the COVID-19 disease, or 
  2. The uses or disclosures are for health oversight activities, such as for overseeing and assisting the healthcare system as it relates to COVID-19 response, and
  3. The business associate informs the covered entity within 10 calendar days after the use of the disclosure. But if it’s an ongoing activity, the covered entity must be informed within 10 days of starting the activity.

When using and disclosing the PHI, business associates should be careful to follow the 45 Code of Federal regulations. Your activities have to be in compliance with the permitted uses and disclosure clauses of the federal regulations. 

HIPAA Requirements that still apply

The directive hasn’t waived off the other business associate obligations under the HIPAA law. Other requirements of the privacy, security and breach notification rules still apply. Business associates are liable to comply with them.

If the business associate uses or shares electronic PHI, the disclosure must meet the Security rule requirements of the HIPAA law. The usage and disclosures should not violate the minimum necessary provisions of the Privacy rule. Similarly they must continue to comply with the HIPAA security rule requirements, including: 

  1. Ensure the electronic PHI is transmitted securely  
  2. Implement safeguard to ensure the confidentiality, integrity, and availability of the information
  3. Detect and shield against anticipated threats 
  4. Protect against impermissible use or disclosure

HIPAA waivers for Covered entities

Considering the severity of the COVID-19 pandemic; the HHS OCR has released guidance material for covered entities to explain how healthcare providers can share patient health information. The HHS guidance covers:

  • Disclosure of PHI to first responders, such as law enforcement, and paramedics
  • Sharing PHI with public health authorities, such as CDC and CMS
  • Sharing of information with the family, friends, and relatives of COVID-19 patients
  • Usage of Telehealth communication tools for connecting with patients and treating ailments

In conclusion

The OCR directive would definitely increase the flexibility to the COVID-19 response efforts. Even so, the notification does extend the enforcement discretion to other HIPAA Privacy rule requirements or the business associate obligations under the Security rule. Likewise, the directive has not addressed other applicable federal or state laws. Businesses should exercise caution when using or disclosing PHI of a covered entity.

Are you a HIPAA business associate? What are your views regarding the HHS notification? We’d love to know. Please share your views with our readers in the comments’ section below.   

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.