On December 18, 2020, the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance specific to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the COVID-19 public health emergency. The guidance addresses permitted HIPAA disclosures of Protected Health Information (“PHI”) by covered entities and business associates via health information exchanges (“HIEs”) for certain public health purposes.
OCR issued this guidance in order “to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”
Specifically, the OCR guidance explains when a covered entity or business associate may disclose PHI, without individual authorization, to an HIE for purposes of reporting to a public health authority (“PHA”). OCR permits such disclosure when:
- The disclosure is required by law (such as “where a state law requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department”);
- An HIE is a business associate of the relevant entity. (OCR will exercise its enforcement discretion, and will not impose penalties, if a business associate HIE discloses PHI to a PHA during the COVID-19 public health emergency, even if such disclosure is not permitted by the relevant business associate agreement); or
- An HIE acts under grant authority or pursuant to a contractual relationship with a PHA for a public health activity.
Additionally, if a PHA makes a “reasonable” request for PHI, covered entities providing PHI to a PHA or HIE are entitled to consider the data requested to constitute the “minimum necessary” to accomplish the stated purpose for disclosure. For example, if a covered entity receives an ongoing request from the Centers for Disease Control and Prevention (“CDC”) for COVID-19 case data, the covered entity would be permitted under the new guidance to respond with “the automated generation and transmission of case reports from [electronic health records] to PHAs . . . .” This permission applies whether or not “the covered entity receive[s] a direct request for PHI from the PHA.”
This guidance “is not a final agency action and may be rescinded or modified in the discretion of the U.S. Department of Health & Human Services (HHS). Noncompliance with any voluntary standards or suggested practices contained in guidance documents not required by law will not, in itself, result in any enforcement action.” In order to share data in compliance with this guidance, however, covered entities should first ensure that their Notices of Privacy Practices explain the potential for disclosure of PHI, without authorization, for public health purposes. Covered entities must also ensure that any such disclosures, including those by a business associate HIE, are included in any required accounting of disclosures requested by an individual under the HIPAA Privacy Rule.