The Health Insurance Portability and Accountability Act (HIPAA) provides many pathways for permissibly exchanging Protected Health Information (PHI) and that's the message the Office for the National Coordinator for Health IT (ONC) wants to get across with a series of blog posts and fact sheets.
Last week, ONC posted the first blog post of what it says will be a series of blog posts and accompanying fact sheets seeking to clarify HIPAA and how it fits into the interoperability framework.
In the blog post on Health IT Buzz, ONC’s Lucia Savage, chief privacy officer and Aja Brooks, a privacy analyst, say many healthcare providers have a misconception that HIPAA impedes the sharing of electronic health data.
“What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care. As illustrated in two new fact sheets we are publishing today, HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI),” Brooks and Savage wrote.
ONC developed the facts sheets with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees policy and enforcement for HIPAA privacy, security and breach notification rules. The fact sheets serve to illustrate examples of when electronic health information can be exchanged “without first requiring an authorization or a writing of some type from the patient, as long as other protections or conditions are met,” Savage and Brooks stated.
Savage and Brooks also point out that the blog post series and supporting fact sheets aim to address concerns ONC frequently hears from providers, such as “whether they can interoperably exchange PHI with each other or payers and whether written patient consent is needed for such exchanges”
“The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities,” they wrote in the blog post.
Future blog posts will cover issues related to exchange of health information for care coordination, care planning and case management between providers and between provider and payers as well as interoperable, permissible exchange of PHI for quality assurance and population-based activities, including via a health information exchange, according to Savage and Brooks’ post.
The first fact sheet focuses on permitted uses and disclosures of PHI for health care operations and outlines instances when covered entities can disclose PHI to another covered entity or its business associate without needing patient consent or authorization, such as conducting quality assessment and improvement activities, developing clinical guidelines, developing protocols and conducting population-based activities relating to improving health or reducing healthcare costs.
The fact sheet also outlines that before a covered entity can share PHI with another covered entity the following three requirements must also be met: both covered entities must have or have had a relationship with the patient, the PHI requested must pertain to the relationship and the discloser must disclose only the minimum information necessary for the healthcare operation at hand. The fact sheet also includes a number of practical scenarios as examples of “permitted uses and disclosures” situations that fall into the healthcare operations category.
The second fact sheet posted outlines permitted uses and disclosures of PHI between and among healthcare providers as it relates to treatment. Specifically, the fact sheet highlights that covered entities may disclose PHI (whether orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization.
The fact sheet highlights the responsibilities that providers have, whether disclosing PHI or receiving PHI, for safeguarding the PHI and complying with HIPAA.
This fact sheet also reviews the role of business associates as it relates to patient information to create care plans and the role of the provider and health plan in that exchange. As outlined in the fact sheet, covered entities such as hospitals and health plans may disclose patients’ relevant PHI for care planning purposes to the requesting providers’ business associate using Certified Electronic Health Record Technology (CEHRT) and other electronic means. Disclosure of electronic PHI by CEHRT or other electronic method requires Security Rule compliance.
And, the fact sheet highlights that a business associate agreement is only required between the covered entity that hired the business associate and that business associate. “The responding covered entities may make permissible disclosures directly to the provider’s business associate for the provider’s care planning purposes (without the need to execute their own business associate agreement with the care planning company), just as they could share this information directly with the provider,” ONC and OCR stated in the fact sheet.
And, the fact sheet clarified that, under HIPAA, the patient’s other providers and health plans, which have sent PHI to the initial treating provider’s business associate, “are not responsible for what the business associate does with the PHI once it has been disclosed permissibly and securely.”
