Marketing research and data analytics companies and departments that operate as business associates under HIPAA have a bit more leeway in handling disclosure of protected health information during the COVID-19 crisis if the data relates to public health.

The Department of Health and Human Services (HHS) notified business associates that it will be exercising "discretion" in the application of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. HHS “will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered health care providers or their business associates for uses and disclosures of protected health information [PHI] by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.”

As most research and analytics professionals in the healthcare space know, HIPAA’s Privacy Rule “permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement… or as required by law.” (For more information, see the Insights Association’s white paper on HIPAA and marketing research.)

HHS has provided this notice because local, state and federal government agencies and emergency operations centers have been requesting PHI disclosures or data analytics from business associates “for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency,” but “ HIPAA business associates have been unable to timely participate in these efforts” because of the strictures of their business associate agreements.

The HHS Office of Civil Rights (OCR), which enforces the Privacy Rule, stated that it "will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions... if, and only if":

  • “the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d)”; and
  • “the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).”

The notice provided two examples of "good faith uses or disclosures" it has in mind:

  1. “the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).”
  2. “the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).”

OCR warned, however, that the "enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities."

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.