HHS Allows Business Partners to Share HIPAA Related Patient Data

HHS won’t penalize business associates of the health-care industry for sharing patient information intended to help the government combat the new coronavirus pandemic, the agency said Thursday.

The Department of Health and Human Services loosened regulations under health privacy laws for business partners of hospitals and doctors as long as those entities are acting in good faith, such as helping the Centers for Disease Control and Prevention, the Centers for Medicare & Medicaid Services, and other state health authorities prevent or control the spread of Covid-19 and oversee or assist health-care systems with the virus.

A business associate is a company that discloses or shares a patient’s protected health information on behalf of health-care providers, health plans, and clearinghouse billing systems under the current health privacy provision. These companies include collections agencies, financial institutions, and technology companies such as Google Inc.

The business associate must inform the covered entity within 10 calendar days after the data is shared or when the sharing starts if the disclosures will repeat over time, according to the guidance.

This guidance doesn’t mean that these companies can forgo health security provisions, which are in place to ensure that a patient’s data is secure when transmitted to public health authorities.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” Roger Severino, the director of The Office for Civil Rights, said. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

This is in effect until the coronavirus pandemic ends or the HHS declares that the public health emergency no longer exists, whichever comes first.