Notification of enforcement discretion.
CFR Part: "45 CFR Parts 160 and 164"
Citation: "85 FR 19392"
Page Number: "19392"
"Rules and Regulations"
SUMMARY: This notification is to inform the public that the
DATES: The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency (as determined by 42 U.S.C. 247d), whichever occurs first.
FOR FURTHER INFORMATION CONTACT:
SUPPLEMENTARY INFORMATION: HHS is informing the public that it is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). /1/
FOOTNOTE 1 Due to the public health emergency posed by COVID-19, the
The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement under 45 CFR 164.502(e)(2) (collectively, "business associate agreement" or BAA), or as required by law.
Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, which also constitutes a nationwide public health emergency. Some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.
II. Parameters and Conditions of Enforcement Discretion
To facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency, effective immediately, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
* the business associate makes a good faith use or disclosure of the covered entity's PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
* The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Examples of such good faith uses or disclosures covered by this Notification include uses and disclosures for or to:
This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For example, business associates remain liable for complying with the Security Rule's requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. This Notification does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.
III. Collection of Information Requirements
This notice of enforcement discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the
[FR Doc. 2020-07268 Filed 4-2-20;
BILLING CODE 4153-01-P