COVID-19 Crisis Triggers More HIPAA Policy Changes

The Department of Health and Human Services’ Office for Civil Rights, the agency that enforces HIPAA, outlined the new policy in a statement issued Thursday. OCR will now exercise “enforcement discretion” for violations of certain provisions of the HIPAA Privacy Rule involving “good faith” uses and disclosures of protected health information by business associates for public health-related activities during the crisis.

The move was made because of the urgent need for access to COVID-19 data by federal public health authorities and health oversight agencies, including the Centers for Disease Control and Prevention and Centers for Medicare and Medicaid Services, as well as state and local health departments and state emergency operations centers, OCR says.

“The HIPAA Privacy Rule already permits covered entities to provide this data, and today's announcement now permits business associates to also share this data without risk of a HIPAA penalty,” OCR says.