OCR (Office for Civil Rights) inside of HHS which is in charge of HIPAA enforcement has issued another notice of enforcement discretion. Roger Severino, OCR Director, announced that OCR will exercise it’s enforcement discretion and not impose penalties for violations of certain HIPAA provisions.
OCR announces Notification of Enforcement Discretion to allow uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. Learn more: https://t.co/zceyN7VVWd
— HHS OCR (@HHSOCR) April 2, 2020
This is a pretty narrow HIPAA enforcement discretion, but is a good one. As is noted in the announcement, covered entities (healthcare delivery organizations and payers) were already granted permission under HIPAA to share protected health information (PHI) with public health entities. Now under this enforcement discretion, HIPAA Business Associates can share PHI with public health entities.
What does this mean in practicality? If an EHR vendor (all of which are HIPAA Business Associates) or other health IT vendor wants to share EHR or other health data with a public health entity like the CDC, CMS, or state and local health departments or emergency centers, they can. This also applies to state emergency operations center who need access to COVID-19 related data.
I’d still be thoughtful in how you approach this data sharing. Is it related to COVID-19? Is there a need for the sharing? Is the data shared with a purpose in mind? I don’t think this enforcement discretion will cover you if you just open the fire hose and start sharing all your health data. However, this should also alleviate the concerns many companies would have sharing COVID-19 with public health entities who need the data to plan appropriately.