[Federal Register Volume 85, Number 67 (Tuesday, April 7, 2020)]
[Rules and Regulations]
[Pages 19392-19393]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07268]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Parts 160 and 164


Enforcement Discretion Under HIPAA To Allow Uses and Disclosures 
of Protected Health Information by Business Associates for Public 
Health and Health Oversight Activities in Response to COVID-19

AGENCY: Office of the Secretary, HHS.

ACTION: Notification of enforcement discretion.

-----------------------------------------------------------------------

SUMMARY: This notification is to inform the public that the Department 
of Health and Human Services (HHS) is exercising its discretion in how 
it applies the Privacy Rule under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). Current regulations allow a HIPAA 
business associate to use and disclose protected health information for 
public health and health oversight purposes only if expressly permitted 
by its business associate agreement with a HIPAA covered entity. As a 
matter of enforcement discretion, effective immediately, the HHS Office 
for Civil Rights (OCR) will exercise its enforcement discretion and 
will not impose potential penalties for violations of certain 
provisions of the HIPAA Privacy Rule against covered health care 
providers or their business associates for uses and disclosures of 
protected health information by business associates for public health 
and health oversight activities during the COVID-19 nationwide public 
health emergency.

DATES: The Notification of Enforcement Discretion will remain in effect 
until the Secretary of HHS declares that the public health emergency no 
longer exists, or upon the expiration date of the declared public 
health emergency (as determined by 42 U.S.C. 247d), whichever occurs 
first.

FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or 
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: HHS is informing the public that it is 
exercising its discretion in how it applies the Privacy Rule under the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA).\1\
---------------------------------------------------------------------------

    \1\ Due to the public health emergency posed by COVID-19, the 
HHS Office for Civil Rights (OCR) is exercising its enforcement 
discretion under the conditions outlined herein. We believe that 
this guidance is a statement of agency policy not subject to the 
notice and comment requirements of the Administrative Procedure Act 
(APA). 5 U.S.C. 553(b)(A). OCR additionally finds that, even if this 
guidance were subject to the public participation provisions of the 
APA, prior notice and comment for this guidance is impracticable, 
and there is good cause to issue this guidance without prior public 
comment and without a delayed effective date. 5 U.S.C. 553(b)(B) & 
(d)(3).

---------------------------------------------------------------------------

[[Page 19393]]

I. Background

    The Office for Civil Rights (OCR) at the Department of Health and 
Human Services (HHS) is responsible for enforcing certain regulations 
issued under the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), and the Health Information Technology for Economic and 
Clinical Health (HITECH) Act, to protect the privacy and security of 
protected health information (PHI), namely, the HIPAA Privacy, 
Security, and Breach Notification Rules (the HIPAA Rules).
    The HIPAA Privacy Rule permits a business associate of a HIPAA 
covered entity to use and disclose PHI to conduct certain activities or 
functions on behalf of the covered entity, or provide certain services 
to or for the covered entity, but only pursuant to the explicit terms 
of a business associate contract or other written agreement or 
arrangement under 45 CFR 164.502(e)(2) (collectively, ``business 
associate agreement'' or BAA), or as required by law.
    Federal public health authorities and health oversight agencies, 
state and local health departments, and state emergency operations 
centers have requested PHI from HIPAA business associates (i.e., a 
disclosure of PHI), or requested that business associates perform 
public health data analytics on such PHI (i.e., a use of PHI by the 
business associate) for the purpose of ensuring the health and safety 
of the public during the COVID-19 national emergency, which also 
constitutes a nationwide public health emergency. Some HIPAA business 
associates have been unable to timely participate in these efforts 
because their BAAs do not expressly permit them to make such uses and 
disclosures of PHI.

II. Parameters and Conditions of Enforcement Discretion

    To facilitate uses and disclosures for public health and health 
oversight activities during this nationwide public health emergency, 
effective immediately, OCR will exercise its enforcement discretion and 
will not impose penalties against a business associate or covered 
entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 
164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
     the business associate makes a good faith use or 
disclosure of the covered entity's PHI for public health activities 
consistent with 45 CFR 164.512(b), or health oversight activities 
consistent with 45 CFR 164.512(d); and
     The business associate informs the covered entity within 
ten (10) calendar days after the use or disclosure occurs (or 
commences, with respect to uses or disclosures that will repeat over 
time).
    Examples of such good faith uses or disclosures covered by this 
Notification include uses and disclosures for or to:
     the Centers for Disease Control and Prevention (CDC), or a 
similar public health authority at the state level, for the purpose of 
preventing or controlling the spread of COVID-19, consistent with 45 
CFR 164.512(b).
     The Centers for Medicare and Medicaid Services (CMS), or a 
similar health oversight agency at the state level, for the purpose of 
overseeing and providing assistance for the health care system as it 
relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
    This enforcement discretion does not extend to other requirements 
or prohibitions under the Privacy Rule, nor to any obligations under 
the HIPAA Security and Breach Notification Rules applicable to business 
associates and covered entities. For example, business associates 
remain liable for complying with the Security Rule's requirements to 
implement safeguards to maintain the confidentiality, integrity, and 
availability of electronic PHI (ePHI), including by ensuring secure 
transmission of ePHI to the public health authority or health oversight 
agency. This Notification does not address other federal or state laws 
(including breach of contract claims) that might apply to the uses and 
disclosures of this information.

III. Collection of Information Requirements

    This notice of enforcement discretion creates no legal obligations 
and no legal rights. Because this notice imposes no information 
collection requirements, it need not be reviewed by the Office of 
Management and Budget under the Paperwork Reduction Act of 1995 (44 
U.S.C. 3501 et seq.).

Roger T. Severino,
Director, Office for Civil Rights, Department of Health and Human 
Services.
[FR Doc. 2020-07268 Filed 4-2-20; 4:15 pm]
BILLING CODE 4153-01-P