The Department of Health and Human Services’ Office for Civil Rights has released a new Health Insurance Portability and Accountability Act (HIPAA) Rules guidance to tackle the issue of disclosing protected health information (PHI) to health information exchanges (HIEs) including the report of public health activities to a public health authority (PHA).
An HIE is facilitates the sharing of electronic PHI (ePHI) between two unaffiliated entities that may be a health plan, a healthcare provider, or a business associate. The sharing ePHI may be due to the following reasons:
- Patient treatment
- Billing
- Medical operations
- Reporting public health activities to PHAs
- Providing products and services such as patient record collection, storage, and analysis
HIPAA permits HIEs to disclose health data to improve public health. The role of HIEs has become very important throughout the COVID public health emergency. The HIPAA Privacy Rule permits PHI disclosure by HIPAA-covered entities or business associates to an HIE that submits the reports to a PHA engaged in public health, even without obtaining individual authorization.
Disclosures such as described above are allowed when:
- Disclosures are ordered by federal, state, local, or other legislation enforced by the court
- The HIE is working with an authorized PHA for a public health activity
- The HIE is a business associate of the covered entity or another business associate, and would like to share ePHI to a PHA for a reason that concerns public health*
*The HIPAA Privacy Rule only allows an HIE to share ePHI to a PHA for public health reasons as a business associate of the covered entity if there is a signed business associate agreement (BAA) that specifically mentions it can do so. However, due to the COVID-19 public health emergency situation and OCR’s issuance of a notice of enforcement discretion, OCR won’t take action against a BA that has no written permission to share ePHI to a PHA in case it needs to share ePHI to a PHA. In such situations, the business associate must inform the covered entity within 10 calendar days about the disclosure. The OCR’s notice of enforcement discretion is valid only as long as a COVID-19 public health emergency is in force.
Take note that an HIE can only disclose to a PHA the minimum necessary ePHI to achieve the purpose for the public health data disclosure. An entity must get a request from a PHA to disclose a summary report to the PHA or HIE.
As per the HIPAA Privacy Rule, a covered entity can share ePHI to a PHA via an HIE, even without a request from the PHA, only if the covered entity knows that the PHA is working with the HIE to obtain such information, or that the HIE is working in behalf of the PHA.
Though in such a case it is not necessary to get authorizations from individuals before disclosing their PHI, it is still necessary to notify those persons about the disclosures. That may be accomplished by mentioning about it in the provider’s Notice of Privacy Practices.
Read about this new OCR guidance as well as sample cases related to COVID-19 on the HHS website.