{"id":2827,"date":"2020-04-13T11:06:43","date_gmt":"2020-04-13T11:06:43","guid":{"rendered":"https:\/\/www.empowerelearning.com\/blog\/?p=2827"},"modified":"2023-11-08T06:19:29","modified_gmt":"2023-11-08T06:19:29","slug":"how-to-share-phi-without-violating-hipaa-ocr-relaxes-phi-laws-for-business-associates","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/how-to-share-phi-without-violating-hipaa-ocr-relaxes-phi-laws-for-business-associates\/","title":{"rendered":"Guidelines for Distributing PHI Without Breaching HIPAA \u2013 OCR Eases PHI Regulations for Business Associates"},"content":{"rendered":"

Hipaa for Business associates too can help fight against COVID-19 \u2013 No penalties for sharing PHI.<\/span><\/p>\n

HHS Office of Civil Rights (OCR) has relaxed the HIPAA laws for business associates too; allowing the business associates of a covered entity to join the fight against the COVID-19 pandemic.\u00a0<\/span><\/p>\n

Currently, business associates are allowed to use and share PHI only as per the terms defined in their Business Associate Agreements with covered healthcare providers. As per the HIPAA Privacy rule, business associates can use or disclose PHI only to conduct work on behalf of the covered entity, or provide services to or for the covered entity, or as required by law.\u00a0<\/span><\/p>\n

The <\/span>enforcement directive<\/span><\/a> issued on April 2<\/span>nd<\/span> permits business associates to use and disclose patient information for public health and health oversight purposes to support COVID-19 response.\u00a0<\/span><\/p>\n

This could help support the ongoing efforts to reduce the loss of lives to the COVID-19 disease. Federal, state, and local health authorities and oversight agencies can now get quick access to COVID-19 related data held by business associates.\u00a0<\/span><\/p>\n

Ensure quick access to COVID-19 patient data<\/b><\/h3>\n

The HIPAA privacy rule already allows covered healthcare providers to share the COVID-19 related health data with health authorities and oversight agencies. However, the participation of business associates was being constrained because of their business associate contract obligations under HIPAA.<\/span><\/p>\n

Some business associates were unable to help in the COVID-19 efforts in a timely manner as their business associate contracts didn\u2019t explicitly permit them to do so.\u00a0<\/span><\/p>\n

As per the OCR Director, <\/span>Roger Severino<\/span><\/a>, this new enforcement directive would help the federal, state and local health departments to get quick access to COVID-19 patient data and would increase the cooperation and information exchange between public health and oversight agencies and HIPAA business associates.<\/span><\/p>\n

Enforcement discretion\u00a0<\/b><\/h3>\n

The enforcement directive promises that the OCR will exercise enforcement discretion, effective immediately, and will not penalize business associates or their covered entities for the violation of HIPAA Privacy rule for the good faith use and disclosure of COVID-19 related data for public health and health oversight activities.\u00a0<\/span><\/p>\n

Limitations of the enforcement discretion<\/b><\/h3>\n

The OCR enforcement discretion is subjected to the limitations listed below. Business associates must be careful of these parameters and conditions when using or sharing the PHI of a covered entity. All instances otherwise can still attract penalties.\u00a0<\/span><\/p>\n

Business associates can make a good faith use or disclosure of the PHI ONLY IF<\/b><\/h3>\n
    \n
  1. The uses or disclosures are for <\/span>public health purposes<\/span><\/a>, such as for preventing or controlling the spread of the COVID-19 disease, or\u00a0<\/span><\/li>\n
  2. The uses or disclosures are for <\/span>health oversight activities<\/span>, such as for overseeing and assisting the healthcare system as it relates to COVID-19 response, and<\/span><\/li>\n
  3. The business associate informs the covered entity within 10 calendar days after the use of the disclosure. But if it\u2019s an ongoing activity, the covered entity must be informed within 10 days of starting the activity.<\/span><\/li>\n<\/ol>\n

    When using and disclosing the PHI, business associates should be careful to follow the <\/span>45 Code of Federal regulations<\/span><\/a>. Your activities have to be in compliance with the permitted uses and disclosure clauses of the federal regulations.\u00a0<\/span><\/p>\n

    HIPAA Requirements that still apply<\/b><\/h3>\n

    The directive hasn\u2019t waived off the other business associate obligations under the HIPAA law. Other requirements of the privacy, security and breach notification rules still apply. Business associates are liable to comply with them.<\/span><\/p>\n

    If the business associate uses or shares electronic PHI, the disclosure must meet the Security rule requirements of the HIPAA law. The usage and disclosures should not violate the minimum necessary provisions of the Privacy rule. Similarly they must continue to comply with the HIPAA security rule requirements, including:\u00a0<\/span><\/p>\n

      \n
    1. Ensure the electronic PHI is transmitted securely\u00a0\u00a0<\/span><\/li>\n
    2. Implement safeguard to ensure the confidentiality, integrity, and availability of the information<\/span><\/li>\n
    3. Detect and shield against anticipated threats\u00a0<\/span><\/li>\n
    4. Protect against impermissible use or disclosure<\/span><\/li>\n<\/ol>\n[Also Read: Understanding HIPAA Privacy Rule-The Three Fundamental Rules to Keep in Mind<\/a>]\n

      HIPAA waivers for Covered entities<\/b><\/h3>\n

      Considering the severity of the COVID-19 pandemic; the HHS OCR has released <\/span>guidance material for covered entities<\/span><\/a> to explain how healthcare providers can share patient health information. The HHS guidance covers:<\/span><\/p>\n