On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty.

With the news of the recent cyber-attack and resulting data breach at health insurance giant Anthem Inc., the buzz around data security and privacy is again high.  The Anthem breach serves as a reminder to those entities subject to the Health Insurance Portability and Accountability Act (HIPAA) that failing to keep protected health information secure and private can lead to serious consequences.