HIPAA Enforcement Discretion for HIPAA Business Associates to Share Health Data with Public Health Organizations

OCR (Office for Civil Rights) inside of HHS which is in charge of HIPAA enforcement has issued another notice of enforcement discretion. Roger Severino, OCR Director, announced that OCR will exercise it’s enforcement discretion and not impose penalties for violations of certain HIPAA provisions.

This is a pretty narrow HIPAA enforcement discretion, but is a good one. As is noted in the announcement, covered entities (healthcare delivery organizations and payers) were already granted permission under HIPAA to share protected health information (PHI) with public health entities. Now under this enforcement discretion, HIPAA Business Associates can share PHI with public health entities.

What does this mean in practicality? If an EHR vendor (all of which are HIPAA Business Associates) or other health IT vendor wants to share EHR or other health data with a public health entity like the CDC, CMS, or state and local health departments or emergency centers, they can. This also applies to state emergency operations center who need access to COVID-19 related data.

I’d still be thoughtful in how you approach this data sharing. Is it related to COVID-19? Is there a need for the sharing? Is the data shared with a purpose in mind? I don’t think this enforcement discretion will cover you if you just open the fire hose and start sharing all your health data. However, this should also alleviate the concerns many companies would have sharing COVID-19 with public health entities who need the data to plan appropriately.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

1 Comment

Click here to post a comment