OCR issues new HIPAA notice
OCR HIPAA Notice
The US Department of Health and Human Services Office for Civil Rights (OCR) issued a notice stating that it will exercise its enforcement discretion and will not impose penalties against business associates (BAs) or covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for BAs disclosing protected health information for public health authorities or health oversight agencies outside of the scope of a BA agreement.
Public health entities and health oversight agencies include the CDC and the Centers for Medicare & Medicaid Services. Under this notice, BAs must share in good faith and inform the covered entity of the disclosure within 10 days. BAs are still subject to the requirements in the HIPAA Security and Breach Notification Rules.