PHI disclosures by business associates after the COVID-19 exemption ends

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has announced the expiration of the COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023. 

Why it matters:

The Protected Health Information Disclosures by Business Associates allowed these associates to share PHI with public health authorities and for health oversight activities without facing penalties, even if a proper business associate agreement (BAA) was not in place. With the exemption expiring on May 11, 2023, business associates and covered entities must adapt to the changes in disclosure requirements and ensure full compliance with HIPAA regulations.

Learn more: 

• HIPAA enforcement discretion for COVID-19 to expire midnight, May 11, 2023
• Telehealth HIPAA compliance after the COVID-19 exemption ends 

The OCR has provided a 90-day transition period for healthcare providers to make necessary changes to their operations to ensure privacy and security compliance with HIPAA Rules. During this time, OCR will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance is in connection with the good faith provision of telehealth.

The transition period will begin on May 12, 2023, and end at 11:59 pm on August 9, 2023. 

Key impacts:

• Business associates will need to have proper BAAs in place with covered entities for all PHI disclosures and uses.
• Disclosing PHI to public health authorities and health oversight agencies without a BAA or other HIPAA compliant authorization will no longer be acceptable.
• Appropriate safeguards, such as encryption and access controls, must be implemented to protect PHI during disclosure.

Solutions for compliance:

1. Establish BAAs: Set up BAAs between business associates and covered entities that outline the specific terms and conditions for PHI disclosure related to public health activities and other uses.
2. Update authorizations: Ensure that BAAs include provisions for disclosing PHI to health oversight agencies as required by law and obtain necessary authorizations when needed.
3. Enhance data security: Review and strengthen data security measures, including encryption, access controls, and secure transmission methods, to ensure the privacy and security of PHI during disclosure.

Next steps:

As the enforcement discretion for PHI disclosures by business associates expires, both associates and covered entities must reevaluate their compliance with HIPAA regulations. By establishing appropriate BAAs, obtaining necessary authorizations, and implementing robust security measures, organizations can continue to support public health and health oversight activities while maintaining patient privacy and data security.

Related: HIPAA Compliant Email: The Definitive Guide