On April 2, 2020, the Office for Civil Rights at the Department of Health and Human Services (OCR) announced that, effective immediately, they would exercise “enforcement discretion” regarding disclosures of COVID-19-related protected health information (PHI) to public health authorities. Prior to this announcement, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule only expressly permitted covered entities to use and disclose PHI for public health purposes without patient authorization to prevent or control disease, injury and disability. See 45 CFR 164.512(b). This announcement means that business associates will be permitted by OCR to disclose PHI to public health authorities, such as the Centers for Disease Control and Prevention (CDC), Centers for Medicare & Medicaid Services (CMS), and state and local health departments, for the duration of the COVID-19 crisis to ensure they have ready access to PHI to help fight this pandemic.

OCR did place conditions on its discretionary statement. To qualify for enforcement discretion, business associates must inform their covered entity clients within 10 calendar days of the use or disclosure of PHI. Repeated or ongoing uses and disclosures must only be noticed when the use or disclosure begins, and do not require renotification.

However, as OCR notes in its announcement, all business associates have also entered into contracts with their covered entity customers. These contracts may contain additional provisions or language that limits a business associate’s ability to share PHI. OCR expressly stated that its enforcement discretion announcement “does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.” As a result, business associates could still face contractual liability, if they used PHI for public health purposes or disclosed PHI to a public health authority against the wishes of their covered entity customers.

Consequently, although OCR’s enforcement discretion provides some relief to business associates who have information sought by public health authorities during this crisis, it does not address the risk of contractual liability, if business associate agreements and covered entity customers prohibit such activities. Nor can OCR technically waive the Department of Justice’s authority to criminally punish uses and disclosures that occur in violation of HIPAA — though it is difficult to imagine the Department of Justice bringing an enforcement action against a company operating in compliance with OCR’s enforcement discretion statement. Business associates should carefully review this announcement and determine how best to approach their customers about sharing information sought by the CDC, CMS and other public health authorities. As public health authorities work to address the growing risks associated with the COVID-19 pandemic in the United States, business associates, which have unique access to data from multiple covered entity clients, will be important partners.