Skip to Content


Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of the Secretary, HHS.


Notification of enforcement discretion.


This notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Current regulations allow a HIPAA business associate to use and disclose protected health information for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. As a matter of enforcement discretion, effective immediately, the HHS Office for Civil Rights (OCR) will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered health care providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.


The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency (as determined by 42 U.S.C. 247d), whichever occurs first.

Start Further Info


Rachel Seeger at (202) 619-0403 or (800) 537-7697 (TDD).

End Further Info End Preamble Start Supplemental Information


HHS is informing the public that it is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[1]

Start Printed Page 19393

I. Background

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information (PHI), namely, the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules).

The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement under 45 CFR 164.502(e)(2) (collectively, “business associate agreement” or BAA), or as required by law.

Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, which also constitutes a nationwide public health emergency. Some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

II. Parameters and Conditions of Enforcement Discretion

To facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency, effective immediately, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity's PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

Examples of such good faith uses or disclosures covered by this Notification include uses and disclosures for or to:

  • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
  • The Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For example, business associates remain liable for complying with the Security Rule's requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. This Notification does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.

III. Collection of Information Requirements

This notice of enforcement discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

Start Signature

Roger T. Severino,

Director, Office for Civil Rights, Department of Health and Human Services.

End Signature End Supplemental Information


1.  Due to the public health emergency posed by COVID-19, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion under the conditions outlined herein. We believe that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(B) & (d)(3).

Back to Citation

[FR Doc. 2020-07268 Filed 4-2-20; 4:15 pm]