- Many providers believe that HIPAA restrictions prevent them from moving protected health information (PHI) in certain patient care situation. However, that’s a common misconception potentially hindering health IT interoperability when, in fact, HIPAA enables PHI to be accessed, used or disclosed when and where it is needed for patient care.
In a blog post published Feb. 4 on Health IT Buzz, Lucia Savage, JD, and Aja Brooks, JD, of the Office of the National Coordinator for Health IT (ONC) introduced two new government fact sheets that give examples of when electronic PHI can be exchanged without requiring written authorization from the patient as long as other protections or conditions have been met.
ONC, which oversees interoperability aspects of handling PHI, developed the materials in conjunction with the Office of Civil Rights (OCR), which administers policy and enforcement of the HIPAA privacy rules.
“Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA. Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians,” wrote Savage and Brooks.
The new fact sheets describe permitted uses and disclosures of PHI by a HIPAA covered entity (CE) without first having to obtain written authorization from the patient.
In “Permitted Uses and Disclosures: Exchange for Health Care Operations” (available here), the agencies explain that HIPAA allows a CE to disclose PHI to another CE (or that CE’s business associate) for the following operations activities of the recipient CE without needing patient consent or authorization:
- Conducting quality assessment and improvement activities.
- Developing clinical guidelines.
- Conducting patient safety activities as defined in applicable regulations.
- Conducting population-based activities relating to improving health or reducing healthcare cost.
- Developing protocols.
- Conducting case management and care coordination (including care planning).
- Contacting healthcare providers and patients with information about treatment alternatives.
- Reviewing qualifications of health care professionals.
- Evaluating performance of health care providers and/or health plans.
- Conducting training programs or credentialing activities.
- Supporting fraud and abuse detection and compliance programs.
The aforementioned activities are, however, subject to three requirements that must also be met:
- Both CEs must have or have had a relationship with the patient (can be a past or present patient).
- The PHI requested must pertain to the relationship.
- The discloser must disclose only the minimum information necessary for the healthcare operation at hand.
In “Permitted Uses and Disclosures: Exchange for Treatment” (available here), ONC and OCR explain permissible disclosure of PHI by CEs to another provider for treatment activities without needing patient consent or authorization.
The document explains what happens when a hospital discloses PHI in a permissible way to a receiving provider, who subsequently experiences a breach of the information. The receiving physician is “responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur.” At the same time, the disclosing hospital is responsible for transmitting the PHI in a permitted and secure manner, which includes taking reasonable steps to send it to the right address. The fact sheet also includes sample scenarios in the areas of PHI exchange for care planning and downstream treatment.
ONC and OCR plan to publish three additional blogs on PHI exchange as related to: the goal of nationwide health IT interoperability; care coordination, planning and management; and population-based activities.