Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, 19392-19393 [2020-07268]

Download as PDF 19392 Federal Register / Vol. 85, No. 67 / Tuesday, April 7, 2020 / Rules and Regulations of January 14, 2020 (85 FR 2022) is confirmed: March 16, 2020. ADDRESSES: Federal Register Publications: Access rulemaking documents electronically at https://www.msha.gov/regulations/ rulemaking or https:// www.regulations.gov [Docket Number: MSHA–2019–0007]. Email Notification: To subscribe to receive email notification when MSHA publishes rulemaking documents in the Federal Register, go to https:// www.msha.gov/subscriptions. FOR FURTHER INFORMATION CONTACT: Sheila A. McConnell, Director, Office of Standards, Regulations, and Variances, MSHA, at mcconnell.sheila.a@dol.gov (email), 202–693–9440 (voice), or 202– 693–9441 (fax). These are not toll-free numbers. SUPPLEMENTARY INFORMATION: Effective Date On January 14, 2020, MSHA published in the Federal Register a direct final rule to revise certain safety standards for explosives at metal and nonmetal mines (85 FR 2022). In the same issue of the Federal Register, MSHA published a companion proposed rule (85 FR 2064) for notice and comment rulemaking to provide a procedural framework to finalize the rule in the event that the Agency received significant adverse comments and had to withdraw the direct final rule. After reviewing all the comments received during the public comment period, MSHA has determined that these comments are not adverse to the direct final rule. Therefore, the direct final rule took effect on March 16, 2020. Authority: 30 U.S.C. 811 David G. Zatezalo, Assistant Secretary of Labor for Mine Safety and Health Administration. This final rule removes DoD’s regulation that provides instructions to DoD Components on the collection and disposition of cash and cash equivalents received for the sale of DoD surplus personal property. Proceeds from the sale of surplus personal property shall be deposited by the collecting DoD Component promptly to a U.S. Treasury account. Process instructions are conveyed directly to potential buyers and bidders when invitation for bids are distributed or published. Therefore, this rule is unnecessary and can be removed from the CFR. SUMMARY: DATES: This rule is effective on April 7, 2020. FOR FURTHER INFORMATION CONTACT: Kellie Allison at 703–614–0410. It has been determined that publication of this CFR part removal for public comment is impracticable, unnecessary, and contrary to public interest since it is based on removing DoD guidance that is not required to be codified and is publicly available on the Department’s website. DoD guidance will continue to be published in DoD 7000.14–R, Financial Management Regulation, Volume 11A, Chapter 5, ‘‘Disposition of Proceeds from DoD Sales of Surplus Personal Property’’ available at https:// comptroller.defense.gov/Portals/45/ documents/fmr/current/11a/11a_05.pdf. This rule is not significant under Executive Order (E.O.) 12866, ‘‘Regulatory Planning and Review.’’ Therefore, E.O. 13771, ‘‘Reducing Regulation and Controlling Regulatory Costs,’’ does not apply. SUPPLEMENTARY INFORMATION: List of Subjects in 32 CFR Part 172 Personal property, Recyclable material, Surplus Government property. [FR Doc. 2020–06649 Filed 4–6–20; 8:45 am] PART 172—[REMOVED] BILLING CODE 4520–43–P Accordingly, by the authority of 5 U.S.C. 301, 32 CFR part 172 is removed. ■ DEPARTMENT OF DEFENSE Dated: March 27, 2020. Aaron T. Siegel, Federal Register Liaison Officer, Department of Defense. Office of the Secretary khammond on DSKJM1Z7X2PROD with RULES 32 CFR Part 172 [Docket ID: DOD–2018–OS–0044] [FR Doc. 2020–06773 Filed 4–6–20; 8:45 am] RIN 0790–AK30 BILLING CODE 5001–06–P Office of the Under Secretary of Defense (Comptroller), DoD. ACTION: Final rule. AGENCY: 16:34 Apr 06, 2020 Jkt 250001 PO 00000 Frm 00016 Fmt 4700 45 CFR Parts 160 and 164 Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID–19 Office of the Secretary, HHS. Notification of enforcement discretion. AGENCY: ACTION: This notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Current regulations allow a HIPAA business associate to use and disclose protected health information for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. As a matter of enforcement discretion, effective immediately, the HHS Office for Civil Rights (OCR) will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered health care providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID–19 nationwide public health emergency. DATES: The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency (as determined by 42 U.S.C. 247d), whichever occurs first. FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619–0403 or (800) 537–7697 (TDD). SUPPLEMENTARY INFORMATION: HHS is informing the public that it is exercising its discretion in how it applies the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 SUMMARY: 1 Due to the public health emergency posed by COVID–19, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion under the conditions outlined herein. We believe that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good Disposition of Proceeds From DoD Sales of Surplus Personal Property VerDate Sep<11>2014 DEPARTMENT OF HEALTH AND HUMAN SERVICES Sfmt 4700 E:\FR\FM\07APR1.SGM 07APR1 Federal Register / Vol. 85, No. 67 / Tuesday, April 7, 2020 / Rules and Regulations I. Background The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information (PHI), namely, the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules). The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement under 45 CFR 164.502(e)(2) (collectively, ‘‘business associate agreement’’ or BAA), or as required by law. Federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID–19 national emergency, which also constitutes a nationwide public health emergency. Some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI. khammond on DSKJM1Z7X2PROD with RULES II. Parameters and Conditions of Enforcement Discretion To facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency, effective immediately, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if: • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time). Examples of such good faith uses or disclosures covered by this Notification include uses and disclosures for or to: • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID–19, consistent with 45 CFR 164.512(b). • The Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID–19 response, consistent with 45 CFR 164.512(d). This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For example, business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. This Notification does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information. III. Collection of Information Requirements This notice of enforcement discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Roger T. Severino, Director, Office for Civil Rights, Department of Health and Human Services. [FR Doc. 2020–07268 Filed 4–2–20; 4:15 pm] BILLING CODE 4153–01–P cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(B) & (d)(3). VerDate Sep<11>2014 16:34 Apr 06, 2020 Jkt 250001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 19393 DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration 49 CFR Part 555 [Docket No. NHTSA–2018–0103] Denial of Petition for Reconsideration; Temporary Exemption From Motor Vehicle Safety and Bumper Standards National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Denial of petition for reconsideration. AGENCY: This document denies a petition for reconsideration submitted by Advocates for Highway and Auto Safety, Center for Auto Safety, Consumer Reports, Consumer Federation of America, and Ms. Joan Claybrook (collectively, the ‘‘Petitioners’’) of a final rule amending NHTSA’s regulation on temporary exemption from the Federal Motor Vehicle Safety Standards (FMVSS). The final rule eliminated the provision calling for the agency to determine that an application for a temporary exemption from any FMVSS or bumper standard or for a renewal of exemption is complete before the agency publishes a notification summarizing the application and soliciting public comments on it. DATES: April 7, 2020. FOR FURTHER INFORMATION CONTACT: Daniel Koblenz, Office of Chief Counsel, National Highway Traffic Safety Administration, 1200 New Jersey Avenue SE, Washington, DC 20590; Telephone: (202) 366–2992. SUPPLEMENTARY INFORMATION: SUMMARY: Table of Contents I. Background II. Petition for Reconsideration and Agency Response A. This Final Rule was Not Issued as a Direct Final Rule under 49 CFR 553.14 B. Immediate Adoption of a Final Rule Under the APA C. Advantages of Removing Completeness Requirement D. NHTSA Provided a Reasoned Justification for the Amendment III. Conclusion This document denies a petition for reconsideration submitted by the Petitioners requesting reconsideration of a December 26, 2018 final rule (83 FR 66158) amending NHTSA’s regulation on temporary exemption from the FMVSS. The intended effect of the final rule was to solicit public comments on a petition more quickly than had been E:\FR\FM\07APR1.SGM 07APR1

Agencies

[Federal Register Volume 85, Number 67 (Tuesday, April 7, 2020)]
[Rules and Regulations]
[Pages 19392-19393]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07268]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Parts 160 and 164


Enforcement Discretion Under HIPAA To Allow Uses and Disclosures 
of Protected Health Information by Business Associates for Public 
Health and Health Oversight Activities in Response to COVID-19

AGENCY: Office of the Secretary, HHS.

ACTION: Notification of enforcement discretion.

-----------------------------------------------------------------------

SUMMARY: This notification is to inform the public that the Department 
of Health and Human Services (HHS) is exercising its discretion in how 
it applies the Privacy Rule under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). Current regulations allow a HIPAA 
business associate to use and disclose protected health information for 
public health and health oversight purposes only if expressly permitted 
by its business associate agreement with a HIPAA covered entity. As a 
matter of enforcement discretion, effective immediately, the HHS Office 
for Civil Rights (OCR) will exercise its enforcement discretion and 
will not impose potential penalties for violations of certain 
provisions of the HIPAA Privacy Rule against covered health care 
providers or their business associates for uses and disclosures of 
protected health information by business associates for public health 
and health oversight activities during the COVID-19 nationwide public 
health emergency.

DATES: The Notification of Enforcement Discretion will remain in effect 
until the Secretary of HHS declares that the public health emergency no 
longer exists, or upon the expiration date of the declared public 
health emergency (as determined by 42 U.S.C. 247d), whichever occurs 
first.

FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or 
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: HHS is informing the public that it is 
exercising its discretion in how it applies the Privacy Rule under the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA).\1\
---------------------------------------------------------------------------

    \1\ Due to the public health emergency posed by COVID-19, the 
HHS Office for Civil Rights (OCR) is exercising its enforcement 
discretion under the conditions outlined herein. We believe that 
this guidance is a statement of agency policy not subject to the 
notice and comment requirements of the Administrative Procedure Act 
(APA). 5 U.S.C. 553(b)(A). OCR additionally finds that, even if this 
guidance were subject to the public participation provisions of the 
APA, prior notice and comment for this guidance is impracticable, 
and there is good cause to issue this guidance without prior public 
comment and without a delayed effective date. 5 U.S.C. 553(b)(B) & 
(d)(3).

---------------------------------------------------------------------------

[[Page 19393]]

I. Background

    The Office for Civil Rights (OCR) at the Department of Health and 
Human Services (HHS) is responsible for enforcing certain regulations 
issued under the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), and the Health Information Technology for Economic and 
Clinical Health (HITECH) Act, to protect the privacy and security of 
protected health information (PHI), namely, the HIPAA Privacy, 
Security, and Breach Notification Rules (the HIPAA Rules).
    The HIPAA Privacy Rule permits a business associate of a HIPAA 
covered entity to use and disclose PHI to conduct certain activities or 
functions on behalf of the covered entity, or provide certain services 
to or for the covered entity, but only pursuant to the explicit terms 
of a business associate contract or other written agreement or 
arrangement under 45 CFR 164.502(e)(2) (collectively, ``business 
associate agreement'' or BAA), or as required by law.
    Federal public health authorities and health oversight agencies, 
state and local health departments, and state emergency operations 
centers have requested PHI from HIPAA business associates (i.e., a 
disclosure of PHI), or requested that business associates perform 
public health data analytics on such PHI (i.e., a use of PHI by the 
business associate) for the purpose of ensuring the health and safety 
of the public during the COVID-19 national emergency, which also 
constitutes a nationwide public health emergency. Some HIPAA business 
associates have been unable to timely participate in these efforts 
because their BAAs do not expressly permit them to make such uses and 
disclosures of PHI.

II. Parameters and Conditions of Enforcement Discretion

    To facilitate uses and disclosures for public health and health 
oversight activities during this nationwide public health emergency, 
effective immediately, OCR will exercise its enforcement discretion and 
will not impose penalties against a business associate or covered 
entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 
164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
     the business associate makes a good faith use or 
disclosure of the covered entity's PHI for public health activities 
consistent with 45 CFR 164.512(b), or health oversight activities 
consistent with 45 CFR 164.512(d); and
     The business associate informs the covered entity within 
ten (10) calendar days after the use or disclosure occurs (or 
commences, with respect to uses or disclosures that will repeat over 
time).
    Examples of such good faith uses or disclosures covered by this 
Notification include uses and disclosures for or to:
     the Centers for Disease Control and Prevention (CDC), or a 
similar public health authority at the state level, for the purpose of 
preventing or controlling the spread of COVID-19, consistent with 45 
CFR 164.512(b).
     The Centers for Medicare and Medicaid Services (CMS), or a 
similar health oversight agency at the state level, for the purpose of 
overseeing and providing assistance for the health care system as it 
relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
    This enforcement discretion does not extend to other requirements 
or prohibitions under the Privacy Rule, nor to any obligations under 
the HIPAA Security and Breach Notification Rules applicable to business 
associates and covered entities. For example, business associates 
remain liable for complying with the Security Rule's requirements to 
implement safeguards to maintain the confidentiality, integrity, and 
availability of electronic PHI (ePHI), including by ensuring secure 
transmission of ePHI to the public health authority or health oversight 
agency. This Notification does not address other federal or state laws 
(including breach of contract claims) that might apply to the uses and 
disclosures of this information.

III. Collection of Information Requirements

    This notice of enforcement discretion creates no legal obligations 
and no legal rights. Because this notice imposes no information 
collection requirements, it need not be reviewed by the Office of 
Management and Budget under the Paperwork Reduction Act of 1995 (44 
U.S.C. 3501 et seq.).

Roger T. Severino,
Director, Office for Civil Rights, Department of Health and Human 
Services.
[FR Doc. 2020-07268 Filed 4-2-20; 4:15 pm]
BILLING CODE 4153-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.