COVID-19 Latest Updates and Resources

OCR Flexibility on Business Associates’ Use of PHI

The HHS Office of Civil Rights has issued a notice saying that it will not impose penalties for violations of the HIPAA Privacy Rule against covered entities and their business associates for uses and disclosures of PHI by business associates (BAs) for public health and health oversight activities during the COVID-19 health emergency. This enforcement discretion will allow BAs (such as health information exchanges and electronic health record companies) to respond to federal and state requests to disclose PHI to them or to perform public health data analytics on the PHI, even if a BA’s agreements with covered entities do not expressly permit the BA to make these uses and disclosures.

All Curi recommendations are based on current CDC criteria at the time of publication. CDC guidance for SARS-CoV-2 infection may, or may not, be adopted by state and local health departments to respond to rapidly changing local circumstances. Providers should always check with their local health department to see if the CDC’s guidance on any given topic has been modified (particularly if more restrictive) from the CDC’s recommended guidelines. Follow this link for contact information to your state/local health department. If local recommendations vary from those of the CDC, and you are unsure what recommendations to follow, then it is safer to follow the more restrictive guidelines/recommendations.