OCR Announces Notification of Enforcement Discretion

OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency

Today, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced, effective immediately, that it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

This Notification was issued to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI. The HIPAA Privacy Rule already permits covered entities to provide this data, and today’s announcement now permits business associates to also share this data without risk of a HIPAA penalty.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino, OCR Director. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.

This Notification of Enforcement Discretion may be found at: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf – PDF

OCR has a new webpage with all COVID-19 related materials issued by OCR at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.

Click here for our complimentary download, Crisis Tipsheet: Staff Best Practices for IT Security

Upcoming Webinars

[add_eventon_list hide_month_headers="no" hide_empty_months="yes" event_order="ASC" number_of_months="3" ]

New Social Media Course

MyHIPAA Guide is offering a new social media course that will help you protect your organization from potential privacy violations that result from social media

Read More »

Upcoming Events

10 Steps to Compliance