(See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).I. Covered Entity’s Use of PHI.HIPAA is based on the general rule that “[a] covered entity or business associate may not use2 or disclose3 PHI, except as permitted or required by [the HIPAA Privacy Rule].” (45 C.F.R. § 164.502(a)). The Privacy Rule lists the specific, permitted uses; other uses generally require the patient’s or personal representative’s written HIPAA-compliant authorization.

Ariel Bleicher, Demystifying the Black Box That Is AI, Scientific Am. (2017), https:// www.scientificamerican.com/article/demystifying-the-black-box-that-is-ai/. 45 C.F.R. § 164.514(b)(2)(ii) (2019); see also U.S. Dep't of HeAltH AnD HumAn ServS. (HHS) office for civil rigHtS (ocr), Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, https://www. hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index. html (last visited Dec. 6, 2019) [hereafter OCR De-identification Guidance]. 45 C.F.R. § 164.514(b)(2)(i); see also OCR De-Identification Guidance, supra note 5. 45 C.F.R. § 164.502(b) (2019). cAl. civ. coDe § 1798.140 (2019) (which requires certain safeguards against re-identification and that the data cannot reasonably be "linked" or "associated" with the individual, rather than only focusing on identifiability); Opinion 05/2014 on Anonymisation Techniques, Article 29 Working Party (2014), page 8, https://ec.europa.eu/justice/article-29/documentation/opinion-rec-ommendation/files/2014/wp216_en.pdf (de-identified information typically qualifies as "pseudonymized data," which is specifically included in the GDPR's definition of personal data).

ion of “person” in 45 CFR 160.103 of HIPAA’s Privacy Rule so it expressly includes a “natural person (meaning a human being who is born alive).” Per OCR commentary, this proposed amendment would not include “a fertilized egg, embryo, or fetus.”It proposes to amend the definition of “public health” in 45 CFR 160.103 of HIPAA’s Privacy Rule. In doing so, OCR noted that “public health officials do not typically investigate criminal activity,” and public health activities should be distinct from criminal investigations. Therefore, according to OCR, state laws that require reporting abortions for certain non-public health purposes involving an individual’s reproductive health care would not be exempt from HIPAA preemption. The Proposed Rule also would prohibit a covered entity or a business associate from refusing to recognize a person as an individual’s “personal representative” under HIPAA solely because they provide or facilitate reproductive health care for an individual.It would amend 45 CFR 164.502 (uses and disclosures of PHI) to add a “purpose-based prohibition” to prohibit a covered entity or a business associate from using or disclosing PHI for certain “non-health care” purposes. Non-health care purposes would include (1) a criminal, civil, or administrative investigation into or a proceeding against an individual, a covered entity, a business associate, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided; or (2) identification of an individual, a covered entity, a business associate or other person for the purpose of initiating such investigations or proceedings. According to OCR, this wording is subject to a Rule of Applicability and a Rule of Construction that would be set forth in 45 CFR 164.502 (discussed below). Under the NPRM, “seeking, obtaining, providing, or facilitating” reproductive health care would broadly include, “but not be

All told, 5,385 individuals got the emails or letters. Both instances constituted impermissible uses and disclosures, prohibited under 45 C.F.R. § 164.502(a).OCR investigators discovered two other issues—the practice didn’t have the required privacy official until Nov. 14, 2017, nor did it “implement policies and procedures to comply with the requirements of the Privacy and Breach Notification Rules until January 1, 2018.”

The announcement of an end-date for this relaxation confirms that COVID-19 has not rendered HIPAA’s privacy restrictions obsolete.Third, the recent announcements concerning enforcement relaxation do not even address a myriad of protections and restrictions imposed by HIPAA, which must therefore be considered fully applicable and enforceable, including, for example:Sales of PHI, including PHI obtained during a telehealth communication; [20]Unauthorized use of PHI for marketing purposes; [21]Use and disclosure of genetic information for underwriting purposes;[22] andUse of public-facing remote communication products for transmission of PHI, including TikTok, Facebook Live, Twitch, or a chat room like Slack.[23]ConclusionThe impact of COVID-19 on HIPAA’s Privacy Rule has been significant, but not to the point that HIPAA has been rendered obsolete. The whistleblower provision, 45 C.F.R. § 164.502(j), remains in full effect, and OCR continues to actively pursue enforcement actions, even announcing on April 8, 2019 that it resolved a compliance review of the State of Alabama relating to the state’s removal of ventilator rationing guidelines. [24] Moreover, when the COVID-19 public health emergency is finally resolved, OCR and HHS’s discretionary announcements will expire.

164. 15 45 C.F.R. §§ 164.502(e), 164.504(e), 164.

V—Interpretive Guidelines—Responsibilities of Medicare Participating Hospitals in Emergency Cases (Rev. 07-19-19) at Tag A2406.18 I.C. § 32-1015(3).19https://legislature.idaho.gov/wp-content/uploads/sessioninfo/2024/legislation/S1329SOP.pdf.20 42 U.S.C. § 300 et seq.; 42 C.F.R § 59.5.21 42 C.F.R § 59.5(a); see also Program Requirements for Title X Funded Family Planning Projects, available at https://www.hhs.gov/opa/sites/default/files/ogc-cleared-final-april.pdf.22 42 C.F.R § 59.11; OPA Program Policy Notice 2014-01, available at https://www.hhs.gov/opa/sites/default/files/ppn2014-01-001.pdf.23Deandra v. Becerra, No. 2:2020cv00092 (N.D. Tex. 2022); see Cong. Res. Serv., Title X Parental Consent for Contraceptive Services Litigation: Overview and Initial Observations, available at .24Deandra v. Becerra, No. 23-10159, 2024 U.S. App. LEXIS 5896, 2024 WL 1059721 (5th Cir. 2024).25 42 C.F.R. § 2.14(b).26 I.C. § 32-1015(8).27 I.C. § 16-1605.28 I.C. § 32-1015(5).29Id. at § 32-1015(1)(d).30 45 C.F.R. § 164.502(g)(3)(ii)(A).31 45 C.F.R. § 160.202; see also 65 FR 82500 (12/28/2000) (“This rule does not affect parental notification laws that permit or require disclosure of protected health information to a parent.”). Given this language, it is not clear whether the “abuse or endangerment” exception to parental access in 45 C.F.R. § 164.502(g)(5) applies: the preemption language cited above suggests it does not, but § 164.502(g)(5) expressly states that it applies “notwithstanding a State law or any requirement of this paragraph to the contrary.”32 45 C.F.R. § 164.512(a)(1).33 For situations in which HIPAA would allow a provider to deny access, see 45 C.F.R. § 164.524(a).34 I.C. § 32-1015(1)(e).35Id. at § 32-1015(6)(a).36Id. at § 32-1015(6)(b).37 42 C.F.R. § 2.20.38Id. at § 2.14(b)(2).39 I.C. § 32-1015(12).40Id. at § 32-1015(12)(d).41Id. at § 32-1015(12)(a).42See 45 C.F.R. § 164.520 for requirements relating to the Notice of Privacy Practices.

om more than one health care provider” (e.g., a hospital and its medical staff); (2) an organized system of health care in which more than one covered entity participates and in which the participating covered entities engage in joint utilization review, quality improvement, or payment activities (e.g., provider networks); or (3) certain arrangements between group health plans and other insurers.20 The OHCA exception only applies to covered entities (e.g., healthcare providers and health plans) that perform functions for the OHCA; it does not apply to other entities that require PHI to perform functions on behalf of the OHCA.Healthcare providers who receive PHI to treat patients. A healthcare provider is not a business associate of other covered entities while rendering treatment to patients.21 As explained by the OCR:The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share [PHI] with a health care provider for treatment purposes without a business associate contract.22For example,A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.A physician is not required to have a business associate contract with a laboratory as a condition of disclosing [PHI] for the treatment of an individual.A hospital laboratory is not required to have a business associate contract to disclose [PHI] to a reference laboratory for treatment of the individual.23This exception only applies to the extent that the healthcare provider is using the PHI for treatment purposes; it would not apply if the healthcare provider is using the information to perform other functions on behalf of the covered entity. “For example, a hospital may enlist the services of another health care provider

AAs. At best, they can avoid contractual obligations under the BAA, but they also expose themselves to HIPAA penalties for failing to execute a required BAA.Additional Resources. If you have questions about these or other issues, the Office of Civil Rights maintains a helpful website on HIPAA issues, https://www.hhs.gov/hipaa/index.html.1 Under HIPAA, a “covered entity” is (1) a health care provider who transmits health information in electronic form in connection with a transaction covered by HIPAA; (2) a health plan including most employee group health plans; or (3) a health care clearinghouse. (45 CFR § 160.103).2 A “business associate” is generally an entity that “creates, receives, maintains, or transmits protected health information” in performing functions on behalf of a covered entity. (45 CFR § 160.103). For more information on business associates, see our article at https://www.hollandhart.com/check-for-baas-penalties-for-failing-to-have-hipaa-business-associate-agreements.3 45 CFR § 164.502(e)(1).4 “Subcontractor” means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” (45 CFR § 160.103).5 45 CFR § 164.502(e)(2).6 45 CFR §§ 160.404 and 102.3. The penalties are subject to annual adjustment.7See OCR Press Releases at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ach/index.html, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html and https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html.8 45 CFR §§ 164.502(e), 164.504(e) and 164.314.9 OCR Press Release at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih/index.html.10 45 CFR § 164.504(e)(2)(i).11 “Data aggregation” means “the combinin

2See U.C.A. 78B-12-102, 78B-12-219.3U.C.A. § 78B-3-406(6)(k).4U.CA. § 78B-3-406(6)(j).5In such situations, HIPAA allows the minor to control who can access their medical records for such care. 45 CFR § 164.502(g)(3)(i)(C).6See AMA Ethics Opinion 5.055, available at h.7U.C.A. § 26-6-18(1).8U.C.A. §§ 78B-3-406(6)(f), 26-10-9(1)(b)(iv).9U.C.A. § 26-10-9(1) to (2).