Healthcare Information Security

HIPAA and Compliance News

ONC, OCR Fact Sheet Discusses HIPAA Health Data Exchange

HIPAA regulations support health data exchange at the federal, state, and local level, with oversight agencies also able to share PHI.

By Elizabeth Snell

In an effort to answer questions over how oversight agencies can receive information in health data exchange, the Office of the National Coordinator (ONC) and Office for Civil Rights (OCR) released a fact sheet discussing how HIPAA allows such information to be used.

Health oversight agencies can exchange health data under HIPAA

Entities at the federal, state, or local level may license healthcare professionals or health insurance companies, administer a state Medicaid program, or monitor healthcare programs’ compliance and efficacy, ONC Chief Privacy Officer Lucia Savage, JD wrote in a blog post.

Because of this, the oversight agency may be required to receive individuals’ PHI.

Savage noted that “a key provision of the HIPAA Privacy Rule permits covered entities to share protected health information (PHI) electronically with health oversight agencies without obtaining written authorization from the individual or patient.”  

The fact sheet reviews several examples of how data exchange can legally occur under HIPAA rules with health oversight agencies.

READ MORE: AMIA Calls for HIPAA Clarification in mHealth Patient Data

An Office of the Health Insurance Commissioner (OHIC) operating under state law could be a health oversight agency that is authorized to approve and oversee employer-sponsored group health plans in the state, ONC and OCR explained.

“As part of that oversight authority, OHIC evaluates conduct in the insurance market, including reviewing how claims are handled and other aspects of the insurers’ operations,” the fact sheet read. “OHIC requests that the Model Company’s health plan in State X provide claims data that includes PHI on their active health plan enrollees indicating for whom claims were processed and for what purpose.”  

Another example given is with a state medical board. In this scenario, a state medical board is a health oversight agency because it oversees healthcare provider licensees in the state.

The board can ask a state-licensed physician for data that substantiates her state licensing requirement compliance because the board is investigating a series of related complaints against the doctor.

In this case, the doctor in question may disclose PHI to the medical board for health oversight activities.

READ MORE: How Do HIPAA Regulations Apply to Wearable Devices?

Health data exchange for government benefits programs is also permissible under the HIPAA Privacy Rule.

“The Medicaid Fraud Control Unit in State X’s State Attorneys General office has authority to conduct investigations of provider compliance with Medicaid requirements,” the fact sheet stated. “State X’s Medicaid Fraud Control Unit begins an investigation of Sunset Nursing Home to ensure its eligibility to be paid Medicaid funds following some consumer complaints.”

The nursing home is allowed to disclose PHI to the Medicaid Fraud Control Unit if requested for health oversight activities.

The fact sheet also stressed that other HIPAA Privacy and Security aspects may need to be considered with certain cases of PHI disclosure. For example, business associate disclosures must be consistent with a business associate agreement.

The Privacy Rule’s minimum necessary requirement also needs to be taken into account.

READ MORE: Prioritizing Healthcare Data Security in Aggregation, Sharing

“The discloser is permitted to reasonably rely on the health oversight agency’s description of what the agency believes is necessary for its oversight purposes,” ONC and OCR explained.

Disclosures can also be done electronically, as long as the transmission adheres to the Security Rule requirements.

Once information has been sent to a health oversight agency for a permissible reason and in a secure manner, it is also no longer the covered entity or business associate’s responsibility for what is then done to the information.

ONC and OCR also listed the following considerations:

  • A health oversight agency is NOT the CE’s BA so a BAA between the CE and the health oversight agency is neither required nor warranted
  • For verification purposes, a discloser may request that the health oversight agency supply a written statement on appropriate government letterhead, or other documentation of the health oversight agency’s identity and authority
  • In addition, depending on the circumstances, certain disclosures permitted under the health oversight provisions may also be permitted under other provisions of the HIPAA Rules, such as those that permit disclosures required by law. Depending on the permission relied upon to disclose PHI, different conditions may apply.

ONC and OCR addressed similar issues in December 2016, discussing how HIPAA supports electronic exchange of PHI for treatment and specific kinds of healthcare operations.

HIPAA is designed to protect patients from improper disclosures of their private health information and it also ensures that information can flow to support public health activities, Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn said in an earlier blog post.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...