The United States Department of Health and Human Services has announced that it won’t enforce penalties for violations of certain provisions of the HIPAA privacy rule against healthcare providers or their business associates for good-faith disclosures of protected health information (PHI) for public health purposes during the COVID-19 emergency.
The HHS Office for Civil Rights said that it was exercising its “enforcement discrimination” in announcing its change in policy during the coronavirus pandemic, a declared emergency period, reports Modern Healthcare in its article “HHS eases HIPAA enforcement on data releases during COVID-19.”
A HIPAA waiver of authorization is a legal document that permits an individual’s protected health information (PHI) to be used or disclosed to a third party. This waiver is part of a series of patient-privacy measures set forth in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
PHI covered under HIPAA is information that can be connected to a specific individual and is held by a covered entity, like a healthcare provider. HIPAA has set out 18 specific identifiers that create PHI, when linked to health information.
The notification was issued to support federal and state agencies, including the CMS and the Centers for Disease Control and Prevention, that require access to COVID-19 related data, including protected health information.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” OCR director Roger Severino said in a statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies, can help flatten the curve and potentially save lives.”
HIPAA’s privacy rule only permits business associates of HIPAA-covered entities to disclose protected health information for certain purposes, under explicit terms of a written agreement.
The moratorium enforcement doesn’t extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and breach notification rules, OCR said.
Reference: Modern Healthcare (April 2, 2020) “HHS eases HIPAA enforcement on data releases during COVID-19”