HHS recently announced that it will not impose penalties if business associates disclose protected health information relating to COVID-19 during the public health emergency period. This waiver, announced in a Notification of Enforcement Discretion, applies if the disclosure is for public health and health oversight activities. It will apply, the Office for Civil Rights at HHS explained, even if their business associate agreement with covered entities does not specifically allow for such disclosure if two things hold true. First, that the disclosure or use is made in "good faith" for public health activities and health oversight activities. Second, that the BA informs the covered entity within ten days after the use or disclosure occurs. Examples provided by HHS include BA notifications to public health authorities, such as the CDC, health departments and CMS.

As we reported on in more detail in our healthcare blog, it is important to note that HHS' notification is not a broad waiver of the use and disclosure requirements of HIPAA. BAs must continue to comply with other provisions of HIPAA.

This notification aligns with the general shift toward deregulation of the healthcare industry during the COVID-19 pandemic. We will continue to monitor regulations surrounding COVID-19 and the healthcare industry to evaluate whether the industry continues down a path of deregulation or if a new series of regulations are imposed following the pandemic's end.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.