One of the many challenges for those who handle healthcare-related information is how to balance the interests of public health in these difficult times against the robust individual privacy protection in existing laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
This is especially true for those businesses that perform work, such as claims processing, billing, and management/consulting services, on behalf of covered entities, such as hospitals, under HIPAA; such businesses are classified as “business associates,” and are typically limited in the amount of protected health information (PHI) they may disclose to only what is expressly permitted under the contract with the covered entity and applicable law. Protecting PHI—and avoiding resulting litigation—is typically a focus for any business that may be classified as a HIPAA business associate.
But what happens when government agencies come calling for PHI in the interests of public health, and time is of the essence in a situation involving a highly-communicable virus such as COVID-19? While unresolved issues remain (and will no doubt emerge in the coming months), the Department of Health and Human Services (HHS) recently issued an announcement of enforcement discretion covering both covered entities and business associates that provides some level of protection. The notification, see https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf, states that HHS will not impose penalties against either a covered entity or business associate where (1) a business associate makes a good faith use or disclosure of PHI “for public health…or health oversight activities” and (2) it informs the covered entity of the disclosure within 10 calendar days. Examples of good faith activity provided include sharing information with the Centers for Disease Control and Prevention/Centers for Medicare and Medicaid Services or a similar state agency for the purposes “of preventing or controlling the spread of COVID-19” or “providing assistance for the health care system as it relates to the COVID-19 response….”
While this discretionary act should help covered entities/business associates feel more confident about cooperating for COVID-19-related PHI requests, it is still important to note that HHS has not altered other privacy protections, such as implementing required safeguards and otherwise maintaining the confidentiality and integrity of stored PHI.
For more information, contact Ty Doyle: