Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, 19392-19393 [2020-07268]
Download as PDF
<![CDATA[
19392
Federal Register / Vol. 85, No. 67 / Tuesday, April 7, 2020 / Rules and Regulations
of January 14, 2020 (85 FR 2022) is
confirmed: March 16, 2020.
ADDRESSES:
Federal Register Publications: Access
rulemaking documents electronically at
https://www.msha.gov/regulations/
rulemaking or https://
www.regulations.gov [Docket Number:
MSHA–2019–0007].
Email Notification: To subscribe to
receive email notification when MSHA
publishes rulemaking documents in the
Federal Register, go to https://
www.msha.gov/subscriptions.
FOR FURTHER INFORMATION CONTACT:
Sheila A. McConnell, Director, Office of
Standards, Regulations, and Variances,
MSHA, at mcconnell.sheila.a@dol.gov
(email), 202–693–9440 (voice), or 202–
693–9441 (fax). These are not toll-free
numbers.
SUPPLEMENTARY INFORMATION:
Effective Date
On January 14, 2020, MSHA
published in the Federal Register a
direct final rule to revise certain safety
standards for explosives at metal and
nonmetal mines (85 FR 2022). In the
same issue of the Federal Register,
MSHA published a companion
proposed rule (85 FR 2064) for notice
and comment rulemaking to provide a
procedural framework to finalize the
rule in the event that the Agency
received significant adverse comments
and had to withdraw the direct final
rule. After reviewing all the comments
received during the public comment
period, MSHA has determined that
these comments are not adverse to the
direct final rule. Therefore, the direct
final rule took effect on March 16, 2020.
Authority: 30 U.S.C. 811
David G. Zatezalo,
Assistant Secretary of Labor for Mine Safety
and Health Administration.
This final rule removes DoD’s
regulation that provides instructions to
DoD Components on the collection and
disposition of cash and cash equivalents
received for the sale of DoD surplus
personal property. Proceeds from the
sale of surplus personal property shall
be deposited by the collecting DoD
Component promptly to a U.S. Treasury
account. Process instructions are
conveyed directly to potential buyers
and bidders when invitation for bids are
distributed or published. Therefore, this
rule is unnecessary and can be removed
from the CFR.
SUMMARY:
DATES:
This rule is effective on April 7,
2020.
FOR FURTHER INFORMATION CONTACT:
Kellie Allison at 703–614–0410.
It has been
determined that publication of this CFR
part removal for public comment is
impracticable, unnecessary, and
contrary to public interest since it is
based on removing DoD guidance that is
not required to be codified and is
publicly available on the Department’s
website. DoD guidance will continue to
be published in DoD 7000.14–R,
Financial Management Regulation,
Volume 11A, Chapter 5, ‘‘Disposition of
Proceeds from DoD Sales of Surplus
Personal Property’’ available at https://
comptroller.defense.gov/Portals/45/
documents/fmr/current/11a/11a_05.pdf.
This rule is not significant under
Executive Order (E.O.) 12866,
‘‘Regulatory Planning and Review.’’
Therefore, E.O. 13771, ‘‘Reducing
Regulation and Controlling Regulatory
Costs,’’ does not apply.
SUPPLEMENTARY INFORMATION:
List of Subjects in 32 CFR Part 172
Personal property, Recyclable
material, Surplus Government property.
[FR Doc. 2020–06649 Filed 4–6–20; 8:45 am]
PART 172—[REMOVED]
BILLING CODE 4520–43–P
Accordingly, by the authority of 5
U.S.C. 301, 32 CFR part 172 is removed.
■
DEPARTMENT OF DEFENSE
Dated: March 27, 2020.
Aaron T. Siegel,
Federal Register Liaison Officer, Department
of Defense.
Office of the Secretary
khammond on DSKJM1Z7X2PROD with RULES
32 CFR Part 172
[Docket ID: DOD–2018–OS–0044]
[FR Doc. 2020–06773 Filed 4–6–20; 8:45 am]
RIN 0790–AK30
BILLING CODE 5001–06–P
Office of the Under Secretary of
Defense (Comptroller), DoD.
ACTION: Final rule.
AGENCY:
16:34 Apr 06, 2020
Jkt 250001
PO 00000
Frm 00016
Fmt 4700
45 CFR Parts 160 and 164
Enforcement Discretion Under HIPAA
To Allow Uses and Disclosures of
Protected Health Information by
Business Associates for Public Health
and Health Oversight Activities in
Response to COVID–19
Office of the Secretary, HHS.
Notification of enforcement
discretion.
AGENCY:
ACTION:
This notification is to inform
the public that the Department of Health
and Human Services (HHS) is exercising
its discretion in how it applies the
Privacy Rule under the Health Insurance
Portability and Accountability Act of
1996 (HIPAA). Current regulations
allow a HIPAA business associate to use
and disclose protected health
information for public health and health
oversight purposes only if expressly
permitted by its business associate
agreement with a HIPAA covered entity.
As a matter of enforcement discretion,
effective immediately, the HHS Office
for Civil Rights (OCR) will exercise its
enforcement discretion and will not
impose potential penalties for violations
of certain provisions of the HIPAA
Privacy Rule against covered health care
providers or their business associates for
uses and disclosures of protected health
information by business associates for
public health and health oversight
activities during the COVID–19
nationwide public health emergency.
DATES: The Notification of Enforcement
Discretion will remain in effect until the
Secretary of HHS declares that the
public health emergency no longer
exists, or upon the expiration date of the
declared public health emergency (as
determined by 42 U.S.C. 247d),
whichever occurs first.
FOR FURTHER INFORMATION CONTACT:
Rachel Seeger at (202) 619–0403 or (800)
537–7697 (TDD).
SUPPLEMENTARY INFORMATION: HHS is
informing the public that it is exercising
its discretion in how it applies the
Privacy Rule under the Health Insurance
Portability and Accountability Act of
1996 (HIPAA).1
SUMMARY:
1 Due to the public health emergency posed by
COVID–19, the HHS Office for Civil Rights (OCR)
is exercising its enforcement discretion under the
conditions outlined herein. We believe that this
guidance is a statement of agency policy not subject
to the notice and comment requirements of the
Administrative Procedure Act (APA). 5 U.S.C.
553(b)(A). OCR additionally finds that, even if this
guidance were subject to the public participation
provisions of the APA, prior notice and comment
for this guidance is impracticable, and there is good
Disposition of Proceeds From DoD
Sales of Surplus Personal Property
VerDate Sep<11>2014
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Sfmt 4700
E:\FR\FM\07APR1.SGM
07APR1
Federal Register / Vol. 85, No. 67 / Tuesday, April 7, 2020 / Rules and Regulations
I. Background
The Office for Civil Rights (OCR) at
the Department of Health and Human
Services (HHS) is responsible for
enforcing certain regulations issued
under the Health Insurance Portability
and Accountability Act of 1996
(HIPAA), and the Health Information
Technology for Economic and Clinical
Health (HITECH) Act, to protect the
privacy and security of protected health
information (PHI), namely, the HIPAA
Privacy, Security, and Breach
Notification Rules (the HIPAA Rules).
The HIPAA Privacy Rule permits a
business associate of a HIPAA covered
entity to use and disclose PHI to
conduct certain activities or functions
on behalf of the covered entity, or
provide certain services to or for the
covered entity, but only pursuant to the
explicit terms of a business associate
contract or other written agreement or
arrangement under 45 CFR 164.502(e)(2)
(collectively, ‘‘business associate
agreement’’ or BAA), or as required by
law.
Federal public health authorities and
health oversight agencies, state and
local health departments, and state
emergency operations centers have
requested PHI from HIPAA business
associates (i.e., a disclosure of PHI), or
requested that business associates
perform public health data analytics on
such PHI (i.e., a use of PHI by the
business associate) for the purpose of
ensuring the health and safety of the
public during the COVID–19 national
emergency, which also constitutes a
nationwide public health emergency.
Some HIPAA business associates have
been unable to timely participate in
these efforts because their BAAs do not
expressly permit them to make such
uses and disclosures of PHI.
khammond on DSKJM1Z7X2PROD with RULES
II. Parameters and Conditions of
Enforcement Discretion
To facilitate uses and disclosures for
public health and health oversight
activities during this nationwide public
health emergency, effective
immediately, OCR will exercise its
enforcement discretion and will not
impose penalties against a business
associate or covered entity under the
Privacy Rule provisions 45 CFR
164.502(a)(3), 45 CFR 164.502(e)(2), 45
CFR 164.504(e)(1) and (5) if, and only if:
• the business associate makes a good
faith use or disclosure of the covered
entity’s PHI for public health activities
consistent with 45 CFR 164.512(b), or
health oversight activities consistent
with 45 CFR 164.512(d); and
• The business associate informs the
covered entity within ten (10) calendar
days after the use or disclosure occurs
(or commences, with respect to uses or
disclosures that will repeat over time).
Examples of such good faith uses or
disclosures covered by this Notification
include uses and disclosures for or to:
• the Centers for Disease Control and
Prevention (CDC), or a similar public
health authority at the state level, for the
purpose of preventing or controlling the
spread of COVID–19, consistent with 45
CFR 164.512(b).
• The Centers for Medicare and
Medicaid Services (CMS), or a similar
health oversight agency at the state
level, for the purpose of overseeing and
providing assistance for the health care
system as it relates to the COVID–19
response, consistent with 45 CFR
164.512(d).
This enforcement discretion does not
extend to other requirements or
prohibitions under the Privacy Rule, nor
to any obligations under the HIPAA
Security and Breach Notification Rules
applicable to business associates and
covered entities. For example, business
associates remain liable for complying
with the Security Rule’s requirements to
implement safeguards to maintain the
confidentiality, integrity, and
availability of electronic PHI (ePHI),
including by ensuring secure
transmission of ePHI to the public
health authority or health oversight
agency. This Notification does not
address other federal or state laws
(including breach of contract claims)
that might apply to the uses and
disclosures of this information.
III. Collection of Information
Requirements
This notice of enforcement discretion
creates no legal obligations and no legal
rights. Because this notice imposes no
information collection requirements, it
need not be reviewed by the Office of
Management and Budget under the
Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.).
Roger T. Severino,
Director, Office for Civil Rights, Department
of Health and Human Services.
[FR Doc. 2020–07268 Filed 4–2–20; 4:15 pm]
BILLING CODE 4153–01–P
cause to issue this guidance without prior public
comment and without a delayed effective date. 5
U.S.C. 553(b)(B) & (d)(3).
VerDate Sep<11>2014
16:34 Apr 06, 2020
Jkt 250001
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
19393
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety
Administration
49 CFR Part 555
[Docket No. NHTSA–2018–0103]
Denial of Petition for Reconsideration;
Temporary Exemption From Motor
Vehicle Safety and Bumper Standards
National Highway Traffic
Safety Administration (NHTSA),
Department of Transportation (DOT).
ACTION: Denial of petition for
reconsideration.
AGENCY:
This document denies a
petition for reconsideration submitted
by Advocates for Highway and Auto
Safety, Center for Auto Safety,
Consumer Reports, Consumer
Federation of America, and Ms. Joan
Claybrook (collectively, the
‘‘Petitioners’’) of a final rule amending
NHTSA’s regulation on temporary
exemption from the Federal Motor
Vehicle Safety Standards (FMVSS). The
final rule eliminated the provision
calling for the agency to determine that
an application for a temporary
exemption from any FMVSS or bumper
standard or for a renewal of exemption
is complete before the agency publishes
a notification summarizing the
application and soliciting public
comments on it.
DATES: April 7, 2020.
FOR FURTHER INFORMATION CONTACT:
Daniel Koblenz, Office of Chief Counsel,
National Highway Traffic Safety
Administration, 1200 New Jersey
Avenue SE, Washington, DC 20590;
Telephone: (202) 366–2992.
SUPPLEMENTARY INFORMATION:
SUMMARY:
Table of Contents
I. Background
II. Petition for Reconsideration and Agency
Response
A. This Final Rule was Not Issued as a
Direct Final Rule under 49 CFR 553.14
B. Immediate Adoption of a Final Rule
Under the APA
C. Advantages of Removing Completeness
Requirement
D. NHTSA Provided a Reasoned
Justification for the Amendment
III. Conclusion
This document denies a petition for
reconsideration submitted by the
Petitioners requesting reconsideration of
a December 26, 2018 final rule (83 FR
66158) amending NHTSA’s regulation
on temporary exemption from the
FMVSS. The intended effect of the final
rule was to solicit public comments on
a petition more quickly than had been
E:\FR\FM\07APR1.SGM
07APR1
]]>Agencies
[Federal Register Volume 85, Number 67 (Tuesday, April 7, 2020)]
[Rules and Regulations]
[Pages 19392-19393]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07268]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
45 CFR Parts 160 and 164
Enforcement Discretion Under HIPAA To Allow Uses and Disclosures
of Protected Health Information by Business Associates for Public
Health and Health Oversight Activities in Response to COVID-19
AGENCY: Office of the Secretary, HHS.
ACTION: Notification of enforcement discretion.
-----------------------------------------------------------------------
SUMMARY: This notification is to inform the public that the Department
of Health and Human Services (HHS) is exercising its discretion in how
it applies the Privacy Rule under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). Current regulations allow a HIPAA
business associate to use and disclose protected health information for
public health and health oversight purposes only if expressly permitted
by its business associate agreement with a HIPAA covered entity. As a
matter of enforcement discretion, effective immediately, the HHS Office
for Civil Rights (OCR) will exercise its enforcement discretion and
will not impose potential penalties for violations of certain
provisions of the HIPAA Privacy Rule against covered health care
providers or their business associates for uses and disclosures of
protected health information by business associates for public health
and health oversight activities during the COVID-19 nationwide public
health emergency.
DATES: The Notification of Enforcement Discretion will remain in effect
until the Secretary of HHS declares that the public health emergency no
longer exists, or upon the expiration date of the declared public
health emergency (as determined by 42 U.S.C. 247d), whichever occurs
first.
FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or
(800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION: HHS is informing the public that it is
exercising its discretion in how it applies the Privacy Rule under the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).\1\
---------------------------------------------------------------------------
\1\ Due to the public health emergency posed by COVID-19, the
HHS Office for Civil Rights (OCR) is exercising its enforcement
discretion under the conditions outlined herein. We believe that
this guidance is a statement of agency policy not subject to the
notice and comment requirements of the Administrative Procedure Act
(APA). 5 U.S.C. 553(b)(A). OCR additionally finds that, even if this
guidance were subject to the public participation provisions of the
APA, prior notice and comment for this guidance is impracticable,
and there is good cause to issue this guidance without prior public
comment and without a delayed effective date. 5 U.S.C. 553(b)(B) &
(d)(3).
---------------------------------------------------------------------------
[[Page 19393]]
I. Background
The Office for Civil Rights (OCR) at the Department of Health and
Human Services (HHS) is responsible for enforcing certain regulations
issued under the Health Insurance Portability and Accountability Act of
1996 (HIPAA), and the Health Information Technology for Economic and
Clinical Health (HITECH) Act, to protect the privacy and security of
protected health information (PHI), namely, the HIPAA Privacy,
Security, and Breach Notification Rules (the HIPAA Rules).
The HIPAA Privacy Rule permits a business associate of a HIPAA
covered entity to use and disclose PHI to conduct certain activities or
functions on behalf of the covered entity, or provide certain services
to or for the covered entity, but only pursuant to the explicit terms
of a business associate contract or other written agreement or
arrangement under 45 CFR 164.502(e)(2) (collectively, ``business
associate agreement'' or BAA), or as required by law.
Federal public health authorities and health oversight agencies,
state and local health departments, and state emergency operations
centers have requested PHI from HIPAA business associates (i.e., a
disclosure of PHI), or requested that business associates perform
public health data analytics on such PHI (i.e., a use of PHI by the
business associate) for the purpose of ensuring the health and safety
of the public during the COVID-19 national emergency, which also
constitutes a nationwide public health emergency. Some HIPAA business
associates have been unable to timely participate in these efforts
because their BAAs do not expressly permit them to make such uses and
disclosures of PHI.
II. Parameters and Conditions of Enforcement Discretion
To facilitate uses and disclosures for public health and health
oversight activities during this nationwide public health emergency,
effective immediately, OCR will exercise its enforcement discretion and
will not impose penalties against a business associate or covered
entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR
164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
the business associate makes a good faith use or
disclosure of the covered entity's PHI for public health activities
consistent with 45 CFR 164.512(b), or health oversight activities
consistent with 45 CFR 164.512(d); and
The business associate informs the covered entity within
ten (10) calendar days after the use or disclosure occurs (or
commences, with respect to uses or disclosures that will repeat over
time).
Examples of such good faith uses or disclosures covered by this
Notification include uses and disclosures for or to:
the Centers for Disease Control and Prevention (CDC), or a
similar public health authority at the state level, for the purpose of
preventing or controlling the spread of COVID-19, consistent with 45
CFR 164.512(b).
The Centers for Medicare and Medicaid Services (CMS), or a
similar health oversight agency at the state level, for the purpose of
overseeing and providing assistance for the health care system as it
relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
This enforcement discretion does not extend to other requirements
or prohibitions under the Privacy Rule, nor to any obligations under
the HIPAA Security and Breach Notification Rules applicable to business
associates and covered entities. For example, business associates
remain liable for complying with the Security Rule's requirements to
implement safeguards to maintain the confidentiality, integrity, and
availability of electronic PHI (ePHI), including by ensuring secure
transmission of ePHI to the public health authority or health oversight
agency. This Notification does not address other federal or state laws
(including breach of contract claims) that might apply to the uses and
disclosures of this information.
III. Collection of Information Requirements
This notice of enforcement discretion creates no legal obligations
and no legal rights. Because this notice imposes no information
collection requirements, it need not be reviewed by the Office of
Management and Budget under the Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.).
Roger T. Severino,
Director, Office for Civil Rights, Department of Health and Human
Services.
[FR Doc. 2020-07268 Filed 4-2-20; 4:15 pm]
BILLING CODE 4153-01-P
