Skip to main content
April 8, 2020

Personal Health Information Privacy and COVID-19: HIPAA and California Law Enforcement Forbearance

Coronavirus: Privacy and Data Security Advisory

To help our clients navigate the coronavirus (COVID-19) crisis, Arnold & Porter has established a Coronavirus Task Force covering a wide range of issues and challenges. Subscribe to our "Coronavirus (COVID-19)" mailing list to receive our latest client Advisories and register for upcoming webinars.


Within the past week, both the US Department of Health and Human Services (HHS) and California Governor Gavin Newsom issued notices suspending enforcement of certain health information privacy rules during the COVID-19 emergency period. These notices recognize the public health justification for disclosure of personal health information during this crisis, even where, under other circumstances, those disclosures could constitute serious violations of federal and/or state privacy law. Below we identify the key takeaways from these notices for healthcare providers on the frontline.

HHS Notification of Enforcement Discretion

On April 2, 2020, HHS' Office for Civil Rights (OCR) announced that, effective immediately and for as long as the COVID-19 emergency continues,1 it will not impose penalties under the Health Insurance Portability and Accountability Act (HIPAA) for unauthorized uses and disclosures of personal ("protected") health information (PHI) by HIPAA "business associates" who make such uses or disclosures in good faith for public health purposes related to COVID-19.2 This announcement complements and supplements OCR's declaration on March 17, 2020, that it will waive potential penalties for violations of the HIPAA privacy and security rules for health care providers who engage in telehealth services using "everyday communications technologies" during the COVID-19 emergency period.3 OCR also recently underscored in other guidance that the HIPAA rules provide leeway for PHI disclosures by health care providers to COVID-19 first responders,4 as well as for other relevant uses and disclosures of PHI, without obtaining an authorization from the individual to whom the PHI pertains.5

Under HIPAA, "business associates" are service providers to HIPAA covered entities (i.e., health plans and most health care providers) that need access to PHI to perform the services for which they are engaged. Generally, a business associate is prohibited from using or disclosing that PHI except as necessary to perform those services (or as required by law). According to OCR, this generally appropriate prohibition has frustrated recent efforts to combat COVID-19 by preventing business associates from disclosing relevant PHI to federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers, as well as from using such PHI at the request of those entities for public health-related purposes.

To address this obstacle, OCR's notice of enforcement discretion provides that a HIPAA business associate will not face penalties for certain uses and disclosures of PHI beyond those needed to perform the services for which the business associate has access to the PHI. Specifically, OCR will now refrain from bringing an action against a business associate based on such a use or disclosure of PHI when (and only when):

  1. the disclosure or use is made in "good faith" for public health activities or health oversight activities, provided those disclosures or uses are consistent with the HIPAA privacy rule provisions permitting covered entities to disclose or use PHI for those purposes,6 and
  2. the business associate informs the relevant covered entity of the use or disclosure within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

OCR's announcement does not define which business associate disclosures or uses of PHI for the relevant types of public health or health oversight activities would be deemed to be made in "good faith." The announcement does provide two examples, however, of "good faith" uses and disclosures:

  • disclosures to and uses on behalf of the Centers for Disease Control and Prevention (CDC), or a similar state public health authority, to help prevent or control the spread of COVID-19, and
  • disclosures to and uses on behalf of the Centers for Medicare and Medicaid Services (CMS), or a similar state health oversight agency, to assist in oversight of or assistance to the health care system's response to COVID-19.

The announcement stresses that the forbearance OCR is exercising is limited to the specified uses and disclosures of PHI under the HIPAA privacy rule and does not extend to a business associate's obligations under the HIPAA security and breach notification rules. Accordingly, for example, while the OCR will not penalize a business associate for transmitting PHI in good faith to a public health authority or other authorized recipient7 to help fight COVID-19, it will hold that business associate liable for any failure to adhere to the HIPAA security standards in that transmission, or for a failure to notify the relevant covered entity if a security breach occurs during that transmission.

In its separate recent clarifications of the HIPAA rules in relation to COVID-19, OCR underscored the flexibility HIPAA covered entities already have to use and disclose PHI to prevent the spread and to treat cases of the virus. Specifically, in its March notice regarding disclosures to first responders, OCR clarified that a covered entity may disclose the PHI of an individual who has been infected with or exposed to COVID-19, without obtaining the individual's authorization, to first responders (such as law enforcement, paramedics, other first responders, and public health authorities) under the following circumstances:

  • as necessary to provide treatment (e.g., PHI may be disclosed to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital's emergency department);
  • for public health purposes to public health authorities (e.g., to the CDC and state health agencies, as well as their employees, contractors, or other persons or entities to whom the agency has granted authority);
  • as required by law (e.g., where state law requires reporting of any positive results of a test for COVID-19);
  • to prevent or lessen a serious and imminent threat to health or safety (e.g., to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel); and
  • for health or safety purposes related to a correctional institution or law enforcement official's lawful custody of an inmate or other individual (e.g., to share an inmate's positive COVID-19 test results with guards).8

These purposes also can support HIPAA covered entities' disclosures to others, as clarified in OCR's initial notice on HIPAA privacy and COVID-19.9

California Executive Order

Governor Newsom's order, issued just one day after OCR's April 2 announcement, similarly waives penalties under several California privacy statutes, regulations, and local ordinances for health care providers' "unauthorized access or disclosure [of patient information that] is related to the good faith provision of telehealth services." The order, which expressly refers to OCR's prior HIPAA waiver relating to telehealth, states that government action "is imperative to reduce the spread of COVID-19 and protect health care workers, including through the use of telehealth services, where possible, for any reason (not limited to the diagnosis and treatment of COVID-19 or related conditions)." Finding that "strict compliance" with California privacy law "would prevent, hinder, or delay appropriate actions to prevent and mitigate the effects of the COVID-19," the order waives penalties that might otherwise be imposed on physicians, clinics, home health agencies, hospice facilities, and other health care providers offering telehealth services, whether for COVID-19-related or unrelated care.

"Telehealth services" under the order are broadly defined to include "the use of telehealth services to engage in the provision of behavioral or mental health services, in addition to the use of telehealth services to engage in the provision of medical, surgical, or other health care services." The scope of the order's waiver is also broad: it extends not only to government penalties, but also to damages awards, including in private class action lawsuits, and to penalties for failure to timely notify individuals or government authorities of data security breaches, provided the disclosures were related to telehealth services undertaken in "good faith" (without definition or elaboration on the term "good faith"). Notably, Governor Newsom's order specifically suspends causes of action that could otherwise be brought under California's Unfair Competition Law (which provides a cause of action for violations of other law) as applied to inadvertent, unauthorized access to or disclosure of health information during the good faith provision of telehealth services.

* * * * *

OCR and Governor Newsom's actions to remove legal impediments to uses and disclosures of PHI during the COVID-19 emergency period underscore the need for flexibility in balancing individual privacy interests with the core public interest of public health and safety. These actions appear to reflect the conclusion that rigid enforcement of rules that struck an appropriate balance six months ago could today endanger lives in the United States and elsewhere. We will be monitoring this issue, as we expect the federal government and states to continue to revisit the appropriate balancing of privacy and public health interests as this crisis continues.

© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. Specifically, until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

  2. OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency. The notice is now published in the Federal Register at 85 Fed. Reg. 19292 (April 7, 2020).

  3. See Arnold & Porter Advisory, "Expanding Telehealth Services to Fight COVID-19."

  4. See HHS, Office of Civil Rights, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

  5. See HHS, Office of Civil Rights Bulletin: HIPPA Privacy and Novel Coronavirus.

  6. Under the HIPAA Privacy Rule, HIPAA covered entities may use and disclose PHI for a variety of public health purposes, as set for at 45 C.F.R. § 164.512(b), but may make such disclosures only to (i) specified public health authorities, or (ii) persons regulated by the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for purposes of activities related to the quality, safety or effectiveness of the product or activity. Id. § 164.512(b)(iii). With respect to health oversight activities, the HIPAA privacy rule permits covered entities to use and disclose PHI for oversight activities authorized by law, but disclosures may be made only to a health oversight agency. Id. § 164.512(d).

  7. As noted, the only authorized recipients of PHI disclosures made for public health purposes are the public health authorities and FDA-regulated persons specified in 45 C.F.R. § 164.512(b), and the only authorized recipients of PHI disclosures made for health oversight activities are the health oversight agencies specified in 45 C.F.R. § 164.512(d).

  8. See HHS, Office of Civil Rights, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

  9. See HHS, Office of Civil Rights Bulletin: HIPPA Privacy and Novel Coronavirus.