Healthcare Information Security

HIPAA and Compliance News

ONC Discusses HIPAA Regulation in Care Coordination

When transferring PHI between a HIPAA covered entity and a business associate, providers must adhere to HIPAA regulations.

By Sara Heath

- The Office of the National Coordinator for Health IT (ONC) has posted its third blog post in its series on HIE security under HIPAA regulation, this week covering how covered entities can exchange information for care coordination and care management purposes.

ONC logo

The authors, chief privacy officer Lucia Savage, JD, and privacy analyst Aja Brooks, JD, provided three examples to demonstrate how HIPAA and privacy works when providers are exchanging information for care coordination and care management purposes.

First, the pair explained an instance where a provider is referring her patient to a long-term rehabilitation facility. In order to determine which facility would be a good fit for the patient’s needs, the provider must share some PHI with potential care facilities.

These actions are allowed under HIPAA, according to Savage and Brooks, who explain that the PHI may be exchanged through Certified EHR Technology (CEHRT).

The pair also explained the repercussions the original provider may face if the rehabilitation facility receiving the PHI may experience a security breach. Being a HIPAA covered entity itself, the rehabilitation facility is fully responsible for the security of the PHI after it has received it, so long as the original provider transferred the PHI securely.

“After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur,” Savage and Brooks explained. “The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).”

The second example the pair provided included PHI transfers for provider care planning. When a provider contacts a BA to help plan care for a patient following hospital discharge, the BA must receive some PHI regarding the patient in order to make a comprehensive strategy.

These situations also call for HIPAA compliant HIE using CERHT.

In this instance, the BA may need to receive PHI from more than just the original provider; it may also need information from the patient’s other care providers (i.e. a primary care provider). In this case, the primary care provider does not need to establish a business associate agreement. Only the BA and the original provider need to do that.

The final example details a health plan arranging care management by sending semi-monthly nutrition advice to a patient. To do so, the health plan enlists a BA. As in previous examples, the BA needs PHI to determine its care management strategy, and is able to receive this PHI through HIPAA-compliant channels between itself and the health plan.

This is because the care management services fall under the Health Care Operations umbrella of the health plan and is a permissible disclosure under HIPAA.

Likewise, in this scenario the health plan is not responsible for the security of the PHI once it is in the hands of the BA, so long as the health plan sent the PHI in a secure manner.

In previous weeks, Savage and Brooks covered how HIPAA relates to HIE by reviewing permissible disclosures under HIPAA. These reviews also reinforced the notion that health IT interoperability is indeed possible under – and perhaps facilitated by – HIPAA because of the permissible disclosure provisions written in the rule.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks