Printer Friendly, PDF & Email

OCR's COVID-19 regulatory relief: Changing how we deliver care

Jessica Quinn ( is Senior Vice President, Chief Ethics and Compliance Officer, and Vladimir I. Edmondson ( is Senior Compliance Director and Chief Privacy Officer at OhioHealth in Columbus, OH.

Almost 25 years ago, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishing a national framework for patient privacy.[1] To ensure an appropriate balance between individual privacy rights and public health needs, Congress included the following statutory language: “Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”[2] Consistent with this congressional intent, when drafting the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule),[3] the secretary of the U.S. Department of Health & Human Services (HHS) incorporated a savings clause to exempt state public health laws from preemption and a number of important exceptions for public health activities.[4]

As the COVID-19 pandemic has unfolded, healthcare providers have proven to be critical players in the fight against the pandemic through preventing, treating, and recovering from COVID-19 in, at times, nontraditional ways not necessarily contemplated by privacy laws. To ensure that those engaged in the COVID-19 fight are not unnecessarily restricted under the Privacy Rule, the HHS Office for Civil Rights (OCR) began to issue a rapid-fire series of regulatory relief documents providing covered entities the relief they needed to fight a pandemic of this magnitude. To date, OCR has issued three notifications of enforcement discretion, four separate guidance documents, and two bulletins focused on the COVID-19 response. OCR’s early efforts to address the not-yet-declared pandemic began in early February when it issued, without fanfare, the “BULLETIN: HIPAA Privacy and Novel Coronavirus.”[5] While not yet extending regulatory relief, the February bulletin highlighted ways in which covered entities and their business associates could continue to permissibly share patient information and put them on notice that they must continue to implement and apply reasonable, as well as administrative, physical, and technical, safeguards to protect patient information. This regulatory relief is not without limitations, however, and a careful understanding of the guardrails for these temporary regulatory changes is critical to help navigate through these changes without inadvertently crossing the line into noncompliance.

This document is only available to members. Please log in or become a member.