- Several situations where health data sharing is permissible under HIPAA regulations were recently highlighted in a new fact sheet released by the Office of the National Coordinator for Health IT Technology (ONC) and the HHS Office for Civil Rights (OCR).
ONC Chief Privacy Officer Lucia Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn discussed the fact sheet in a blog post. Individuals may not take advantage of electronic health record data because of confusion surrounding HIPAA rules, the duo explained.
“ONC has highlighted the many circumstances in which HIPAA supports electronic exchange of PHI for treatment and specific kinds of health care operations,” Savage and Penn wrote. “The new fact sheet provides examples about how HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning.”
Not only is HIPAA designed to protect patients from improper disclosures of their private health information, but it also ensures that information can flow to support public health activities, the two explained.
In the fact sheet, ONC and OCR reviewed nine hypothetical scenarios in which patient data may need to be shared.
For example, data may need to be exchanged in the reporting of a disease at a hospital or healthcare provider. ONC and OCR used the pretend Healthy Hospital to explain how information might need to be shared for the benefit of public health.
“Healthy Hospital may use health IT certified by the ONC Health IT Certification program (certified health IT) to disclose PHI to the CDC in response to the request and may reasonably rely on CDC’s request as to the PHI needed,” the fact sheet reads. “Healthy Hospital must meet the requirements of the HIPAA Security Rule if providing electronic PHI to CDC.”
Another scenario discussed data exchange for individuals exposed to communicable diseases and for any related public health investigation.
OCR previously released guidelines on this topic in November 2014, following reported cases of the Ebola virus in the US. Public health authorities and facilities responsible for ensuring public health and safety can have access to PHI that helps them fulfill their mission to keep the public safe, the OCR bulletin explained.
“A covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose,” OCR said. “Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
The recent fact sheet also explained how data exchange may be subject to Food and Drug Administration (FDA) jurisdiction, as medical devices are subject to FDA jurisdiction.
In this scenario, ONC and OCR discussed a theoretical recall of the fictional HeartWare2.0. The device was implanted in 35 patients before it was recalled. Certain PHI, such as patient contact information and other health information about the affected patients, may be disclosed to the FDA.
However, the doctor must disclose only the information she deems necessary to support the recall. The doctor may also seek the manufacturer’s input in making that decision, but it is not required.
Another example reviewed how information may be exchanged in support of medical surveillance of the workplace.
If an employee works for a company called Mining 247, and is in charge of monitoring work safety conditions, this is also known as medical surveillance of the workplace, ONC and OCR explained.
“At the request of Mining 247 Company, Dr. Hopeful provides health care evaluation services to [the employee] so the company can evaluate work-related illness and injuries and conduct medical surveillance,” the fact sheet stated. “Mining 247 Company needs this information to comply with the Mine Safety and Health Administration (MSHA) and state laws.”
The doctor may also disclose the employee’s workplace medical surveillance-related PHI to Mining 247 Company. However, Dr. Hopeful must provide that employee “with written notice that the information will be disclosed to his or her employer at the time the health care evaluation is provided.” Either that, or the notice must be prominently posted at the worksite or where the service is provided.
“Dr. Hopeful must only disclose the minimum necessary PHI that consists of findings concerning the workplace surveillance,” ONC and OCR wrote. “Dr. Hopeful discloses the information to Mining 247. As she disclosed the information electronically, the HIPAA Security Rule applies to her disclosure.”