This article has been saved to your Favorites!

Health Cos.' Biz Associate Agreements Need COVID-19 Update

By Cynthia Haines and Elizabeth Hein · 2020-06-17 18:43:44 -0400

Cynthia Haines
Elizabeth Hein
Health care providers and their business associates have faced constantly shifting regulatory requirements and operational changes over the last few months.

These developments include federal enforcement related to COVID-19, increased use of telehealth, and the publication of new federal regulations related to interoperability. Given these developments, it is an opportune time for providers to revisit and amend their business associate agreements, or BAAs.

Relaxed Enforcement for Public Health and Public Oversight Activities

Generally, the Health Insurance Portability and Accountability Act privacy rule[1] only permits a business associate to use and disclose protected health information, or PHI, for public health and health oversight purposes if expressly permitted by its BAA with the provider. But, as we have seen recently, agencies such as the Centers for Medicare & Medicaid Services, the Centers for Disease Control and Prevention, and state and local health authorities often need information immediately to address the emergency.

The U.S. Department of Health and Human Services announced on April 2 that during the national COVID-19 emergency, HHS is permitting business associates to use and disclose PHI for public health and health oversight purposes in accordance with HIPAA, even where this disclosure is not specifically spelled out in the applicable BAA.[2]

According to HHS Office for Civil Rights Director Roger Severino:

The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.

The HHS' notification states the OCR will not take enforcement action against providers and their business associates for uses and disclosures for public health and health oversight activities during the public health emergency so long as:

  • The use or disclosure is made in a good faith and consistent with HIPAA's requirements for such uses and disclosures;

  • The use or disclosure is for the purpose of overseeing and providing assistance as it relates to a COVID-19 response; and

  • The business associate informs the provider within 10 calendar days after the use or disclosure occurs or commences for a repeating use or disclosure.

This means that providers may wish to amend their BAAs to continue to be able to share PHI with a public health authority[3] or health oversight agency[4] or to assist in efforts to perform data analytics for public health purposes after the current public health emergency ends. The process of amending a BAA takes time, and it is recommended that providers review and revise BAAs now to ensure business associates' continued ability to provide PHI to public health and health oversight agencies in future emergencies.

Increased Telehealth Services

The OCR has also suspended penalties for telehealth use during the pandemic in an effort to ensure timely and safe access to care during the pandemic, however, providers and their business associates still remain liable for complying with the HIPAA Security Rule's[5] requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI, including by ensuring secure transmission and storage of ePHI.

Providers often mistakenly believe that communicating ePHI is acceptable when the communication is directly between physician and patient. Little regard may be given to the channel of communication that is used for communicating ePHI. Providers who wish to comply with the HIPAA guidelines on telemedicine must adhere to rigorous standards for such communications to be deemed compliant and when working with a telemedicine vendor for software, equipment, cloud, and other services.

The HIPAA guidelines on telemedicine are contained within the HIPAA security rule and require that:

  • Only authorized users should have access to ePHI.

  • A system of secure communication should be implemented to protect the integrity of ePHI.

  • A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

Consider specifically including these requirements in the BAA with a telemedicine vendor.

Providers must carefully consider safeguards when creating ePHI that is stored by a third party. In this situation, the BAA must identify the third party's methods to ensure the protection of the data and regularly audit the data's security.

New Federal Rules and HIPAA

On May 1, the Office of the National Coordinator for Health Information Technology published a final rule in the Federal Register defining the information blocking prohibition. On the same date, CMS published the companion Interoperability and Patient Access Rule.

The ONC final rule implemented provisions in Title IV of the 21st Century Cures Act, including the agency's policies for the new legal prohibition against information blocking,[6] as well as updates to the Health IT Certification Program to enhance interoperability of ePHI in several important ways.

First, it specifies a standardized core clinical data class set by adopting the United States Core Data for Interoperability standard, which must be used by certified health IT developers.

Second, it requires the health care industry to adopt standardized application programming interfaces,[7] a type of technology that is the foundation of smartphone applications, and which has enabled seamless, user-friendly data exchange via apps in the online banking and travel-booking industries.

The mandated combination of standardized APIs and USCDI is intended to create compatibility regarding what data electronic health records systems must be able to exchange, and how they must do so. While these particular provisions impact health IT developers more than providers, they will ultimately affect providers by creating an environment in which secure and easily accessible structured electronic health information can be more easily exchanged across care settings and accessed by individual patients for free using smartphone apps. 

These are complex regulations but, at a minimum, BAAs should include a provision to make it clear that the business associate and provider are subject to the ONC and CMS final rules and that the business associate and provider will work together to implement those provisions to advance interoperability; support the access, exchange and use of electronic health information; and prohibit information blocking both during and after a service contract term.  

Compliance deadlines for the ONC and CMS final rules, originally set for June 30, have been extended for three months because of the COVID-19 public health emergency.[8] However, enforcement of the information blocking provisions against providers is likely to be further delayed,[9] given that the Cures Act directs OIG to refer provider violations to "the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking."[10]

HHS has yet to identify the agency that will handle information blocking referrals or the disincentive that will apply to providers engaging in information blocking.



Cynthia Haines is a principal and Elizabeth Hein is an associate at Post & Schell PC.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


[1] 45 C.F.R. Parts 160 and 164.

[2] See Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (Notification).

[3] 45 C.F.R. §164.512(b).

[4] 45 C.F.R. §164.512(d).

[5] 45 C.F.R. Part 164.

[6] The Cures Act defines "information blocking," in pertinent part, as a practice that is "likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information . . ." and, which "if conducted by a health care provider, such provider knows that such practice is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information. See 42 U.S.C. 300jj-52(a)(1)(B)(ii). Under the Cures Act, health information technology developers, exchanges, or networks are also subject to information blocking prohibitions. See 42 U.S.C. 300jj-52(a)(1)(B)(i).

[7] An API can be thought of as a set of commands, functions, protocols, or tools published by one software developer (''A'') that enable other software developers to create programs (applications or ''apps'') that can interact with A's software without needing to know the internal workings of A's software, all while maintaining consumer privacy data standards. See CMS Final Rule, 85 Fed. Reg. 25515.

[8] See ONC, Cures Act Final Rule, "Enforcement Discretion," https://www.healthit.gov/curesrule/resources/enforcement-discretion (last visited May 20, 2020).

[9] The Cures Act gives the Office of Inspector General (OIG) authority to impose Civil Monetary Penalties not exceeding $1 million per violation for information blocking violations committed by health IT developers, health information exchanges, and health information networks. 42 U.S.C. 300jj-52(b)(2)(A). The OIG published a Proposed Rule regarding enforcement against such actors on April 24, 2020. HHS OIG, Grants, Contracts, and Other Agreements; Fraud and Abuse; Information Blocking; Office of Inspector General's Civil Money Penalty Rules, 85 Fed. Reg. 22979 (April 24, 2020).

[10] 42 U.S.C. 300jj-52(b)(2)(B).

For a reprint of this article, please contact reprints@law360.com.