Under the Privacy Rule, Business Associates now have permission to also share COVID-19 related data, including PHI, for public health and health oversight purposes, without risk of a HIPAA penalty. In that regard, those Federal public health authorities and health oversight agencies are: Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers needing access to COVID-19 related data, including PHI. Covered Entities have already had such permission under the HIPAA Privacy Rule.

You may be wondering what’s changed for Business Associates? Well, under the current regulations, HIPAA Business Associates did not have permission to use and disclose protected health information for public health and health oversight purposes unless expressly permitted by their business associate agreements with their HIPAA covered entities.

Check out the Notification here:

https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf