Last Friday, the Office for Civil Rights (OCR) issued new Guidance on how HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose PHI for the public health activities of a Public Health Authority (PHA). Specifically, it provides examples relevant to the COVID-19 public health emergency. OCR Director, Roger Severino, specifically notes that the Guidance was issued:
“to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”.
Although much of the Guidance document simply reiterates the controlling HIPAA Privacy Rule provisions and definitions which have always afforded a mechanism through which covered entities (CE) and their contracted business associates (BA) can share ePHI with a public health authority for public health purposes, there are a few notable new take-away nuggets.