The Office for Civil Rights (OCR) has updated guidance on how HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose protected health information (PHI) for public health purposes during an emergency.
The OCR guidance provides examples relevant to the COVID-19 public health emergency on how HIPAA permits covered entities and their business associates to disclose PHI to an HIE for reporting to a public health authority (PHA) that is engaged in public health activities. The guidance answers these specific issues:
Defining what qualifies as an HIE. For purposes of this guidance, an HIE is an organization that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities, such as healthcare providers, health plans, and business associates, for treatment, payment, or healthcare operations (TPO) purposes. An HIE also may provide other functions and services to its participants (e.g., covered entities, business associates), such as public health reporting to PHAs, patient record location, and data aggregation and analysis.
When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual's authorization? According to the guidance, the Privacy Rule permits covered entities or their business associates to disclose PHI to an HIE for the HIE to report PHI to a PHA conducting public health activities if one of the following happens: when the disclosure is required by law; when an HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA for public health purposes; and when an HIE is acting under a grant of authority or contract with a PHA for a public health activity.
Can a covered entity rely on a PHA's request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure? The guidance says yes; when a PHA requests a summary record or other specified data set, the covered entity may rely, if such reliance is reasonable under the circumstances, on the request being the minimum necessary information the PHA needs for its stated public health purpose if the PHA so represents. In such cases, the Privacy Rule does not require a covered entity to make an independent determination of minimum necessary when responding to a request from a PHA for the PHA’s public health activities.
May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA? According to the guidance, yes: The Privacy Rule permits a covered entity to disclose PHI through an HIE to a PHA for public health activities, and this permission does not require that the covered entity receive a direct request for PHI from the PHA if the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.
May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity? Yes, during the COVID-19 public health emergency, according to the guidance. OCR will not impose penalties on a business associate HIE for violations of certain provisions of the Privacy Rule if the HIE transmits PHI it receives as a covered entity’s business associate to a PHA for the PHA’s public health activities, regardless of whether the HIE’s BAA with the healthcare provider permits such disclosure or the provider otherwise authorizes the disclosure.
Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice? The guidance states that yes, a covered entity is required to provide individuals with notice that it discloses PHI for public health purposes in the covered entity’s Notice of Privacy Practices (NPP). The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which would include public health purposes, for which the covered entity may use or disclose PHI without an individual’s authorization. As such, individuals receive advance notice that their PHI may be used or disclosed for public health purposes when they receive a copy of an NPP, or when they review the covered entity’s NPP on its website.
"OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency," OCR Director Roger Severino said in a statement.
