- It is a common misconception that HIPAA regulations hinder covered entities’ ability to move patient information, according to a recent blog post by ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Privacy Analyst Aja Brooks, J.D.
Contrary to the widely believed misconception, HIPAA enables interoperability in many ways, according to the duo. Along with protecting PHI, HIPAA allows that data to be accessed, used, or disclosed interoperably.
“Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA,” wrote Savage and Brooks. “Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians.”
The blog post also highlights two ONC fact sheets, which highlight how electronic information can be “exchanged without first requiring an authorization or a writing of some type from the patient.”
The first fact sheet describes permitted uses and disclosures of information when it comes to treatment and healthcare operations.
Under HIPAA, covered entities can disclose PHI to other covered entities or business associates without patient consent in certain conditions. These include, but are not limited to the following:
- Conducting quality assessment and improvement activities
- Developing clinical guidelines
- Conducting patient safety activities as defined in applicable regulations
However, certain conditions must be met before PHI can be shared. First, both covered entities must have a relationship with the patient. Secondly, the PHI must pertain to that relationship. Lastly, only the minimum information necessary can be disclosed.
“For example, in sharing information with an individual’s health plan for population health programs (for example, a diabetes management program), a provider should disclose the PHI that is necessary for the program to be effective,” the fact sheet explains.
The second fact sheet discusses permitted uses and disclosures for data exchange for treatment.
A common concern that arises is who would be responsible for PHI after it has been disclosed to a receiving provider. For example, once the first hospital has disclosed it in a permissible way under HIPAA regulations, who would be responsible for how the information is handled afterwards?
“Under HIPAA, after the receiving physician has received the PHI in accordance with HIPAA, the receiving physician, as a CE itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur,” according to the fact sheet.
Savage and Brooks added in their blog post that ONC will be posting several more clarifications in a series of posts designed to address interoperability concerns related to HIPAA.
Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities,including via a health information exchange.
The duo explained that the subsequent blog posts and accompanying fact sheets should assist covered entities in their interoperability goals. However, organizations should also feel free to contact ONC with any concerns, as well as the Office for Civil Rights (OCR) for privacy or security clarification.