- In their second blog post in a series about HIE security, the Office of the National Coordinator for Health IT’s (ONC) chief privacy officer Lucia Savage, JD, and privacy analyst Aja Brooks, JD, explained the circumstances under the HIPAA Privacy Rule that providers may exchange patient information.
The pair explained that there are two circumstances under which covered entities may exchange private patient data. First, they may exchange the data when the HIPAA Privacy Rule specifically permits or requires it. Second, they may exchange the data when the subject of the data (the patient) specifically authorizes the exchange.
The HIPAA Privacy Rule by default allows PHI exchange for treatment, payment, or healthcare operations purposes.
“For example, the HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities,” Savage and Brooks wrote. “Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.”
Under the HIPAA Privacy Rule, “treatment” is broadly defined, and includes what one might traditionally think of as treatment, the making of referrals, and care coordination, among other functions. This is to ensure that the Privacy Rule works well under an interoperable system and does not superfluously hinder the provider.
Likewise, providers need to be cognizant of three requirements both the sending and the receiving entity needs to meet for proper exchange of health information. Both providers need to be in some way associated with the patient, the PHI exchanged must pertain to that association, and the sender of the information may only disclose the minimum amount required for the receiver to adequately perform his or her job.
Providers also need to account for instances during which they exchange the information on an interoperable system for reasons not necessarily covered under the Privacy Rule.
“If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule,” the pair explained. “One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else.”
That is to say, when data exchange occurs outside the provisions of the HIPAA Privacy Rule, providers need to find another place under HIPAA where that exchange was noted permissible, or they must receive authorization from the patient.
Similar to last week’s ONC blog post, this one includes Savage and Brooks explaining the importance of these HIPAA regulations in the context of the nationwide push for interoperability. The pair maintain that these security rules facilitate interoperability, and vice versa.
“Nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange,” Savage and Brooks noted. “HIPAA’s Permitted Uses and Disclosure are rules that run ‘in the background’ in support of this important nationwide goal.”
The HIPAA Privacy rule and the Permitted Uses and Disclosures in a way serve as the governing body for the network of interoperability that is being built amongst health IT and EHR users.
“Health information is readily available to be shared so that individuals get the right care at the right time,” the pair explained. “These background rules are made transparent to individuals through Notices of Privacy Practices.”