Health and Human Services (HHS) recently released a regulation that notifies the public that HHS is exercising discretion in how it applies the privacy rule under the Health Insurance Portability and Accountability Act of 1996.
Current regulations allow a HIPAA business associate to use and disclose protected health information for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA-covered entity.
As a matter of enforcement discretion, effective immediately, the HHS Office for Civil Rights will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA privacy rule against covered health care providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 public health emergency.
In a related matter, several reports indicate an individual posing as an HHS Office of Civil Rights investigator has contacted HIPAA covered entities in an attempt to obtain protected health information. The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. Take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address. If organizations have additional questions or concerns, please send an email to OCRMail@hhs.gov.
Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI). The FBI has issued a public service announcement about COVID-19 fraud schemes.