The HHS’ Office for Civil Rights has issued new guidance to help HIPAA covered entities and their business associates understand the when the Health Insurance Portability and Accountability Act (HIPAA) permits disclosures of protected health information (PHI) to health Information Exchanges (HIEs).
An HIE is an organization that exists to facilitate the sharing of electronic protected health information (ePHI) with multiple unaffiliated entities, which includes covered entities and business associates, for purposes permitted by the HIPAA Privacy Rule (For treatment, payment, and healthcare operations). Another important role of HIEs, and one that has been especially important in 2020 during the COVID-19 public health emergency, is for public health reporting. This sees ePHI shared with public health authorities (PHAs) to improve public health. HIEs include regional health information organizations (RHIOs) and certain clinical data registries and HIEs may operate statewide or nationwide.
The HIPAA Privacy Rule allows HIPAA-covered entities and business associates to share ePHI with HIEs for purposes relating to treatment, payment, and healthcare operations and disclosures of ePHI to an HIE are permitted for reporting to a PHA that is engaged in public health activities.
The purpose of the new guidance is to explain the circumstances when the latter is permitted. The guidance includes several examples that are relevant to the COVID-19 public health emergency.
Announcing the new guidance, OCR Director Roger Severino said, “OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”
The guidance explains that HIPAA-covered entities and business associates are permitted to share ePHI with an HIE for the purpose of reporting to a PHA that is conducting public health activities under the following circumstances:
- When required to do so by federal, state, or local law that is enforceable in court
- When an HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA for public health purposes.
- When an HIE is acting under a grant of authority or contract with a PHA for a public health activity.
OCR has also confirmed that when a PHA requests a summary record of a specified data set, covered entities can rely on the request from the PHA being for the minimum necessary information that is needed to allow it to achieve its stated public health purpose. OCR also confirmed that a covered entity is permitted to disclose PHI to a PHA through an HIE without receiving a direct request from the PHA.
Disclosures of ePHI to an HIE are permitted without having to obtain individual authorization from patients or health plan members; however, notice about those disclosures should be provided through the organization’s Notice of Privacy Practices.
One confirmation that has been provided is only valid for the duration of the COVID-19 public health emergency and was the subject of a notice of enforcement discretion issued by OCR earlier this year. Business associates of HIPAA-covered entities are permitted to disclose ePHI to a PHA (through an HIE) that is engaged in public health activities, but only if their business associate agreement with the covered entity expressly permits this.
The notice of enforcement discretion explained that OCR will not impose sanctions or penalties on business associates that disclose ePHI for this purpose when their business associate agreement does not expressly permit it, provided they inform the covered entity about the disclosure within 10 days of the disclosure being made. Once the COVID-19 public health emergency is declared over, business associates will only be able to disclose ePHI through an HIE to a PHA if the disclosure is consistent with their BAA.