HIPAA Blog

[ Friday, April 03, 2020 ]

 

More OCR flexibility.  Again, it's enforcement discretion, which means there's no change in the law or regulations, but OCR is granting business associates the same flexibility that covered entities have to disclose for public health and health oversight activities.  Covered entities may disclose PHI without patient authorization to state epidemiology agencies for public health purposes, pursuant to 45 CFR 164.512(b)(1)(i); however, the regs don't give the same authority to business associates.

Instead, the business associate must abide by the terms of their business associate agreements, which may or may not allow such a disclosure.  Almost all BAAs will allow the BA to disclose where "required by law," but some epidemiological disclosures are not technically required: for example, many states require doctors, nurses, educators and certain others to disclose suspected abuse, and allow but do not require the general public to make similar disclosures.  If the disclosure to state infection control officials is permitted but not required, and the BAA allows only "required" disclosures, then the BA must refrain from making the disclosure.

Some BAAs say that the BA may disclose where "permitted or required;" in that case, the BA would be able to report to state health officials.

Ultimately, this is a small-potatoes fix, but it does point out two important things.  First, an interesting factoid to keep in mind about the HIPAA regs: while the HITECH act did incorporate BAs directly into HIPAA in many ways, there still are differences between CEs and BAs, and you have to read the specific language of the regulations carefully (obviously, OCR is reading it carefully).  Secondly, since BAs have fewer rights and less flexibility with respect to uses and disclosures of PHI, ultimately the BA can only do what the BAA allows.  So the language of the BAA really does make a difference.

Keep this in mind, and stay safe out there.

Jeff [12:12 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template