The fourth and final installment of the ONC’s four-part blog series on HIPAA, “The Real HIPAA: Quality Assessment/Quality Improvement and Population-Based Activities Examples,” focuses once again on illustrating the interoperability of HIPAA through examples. The examples are a continuation of Part 3 and are taken directly from the ONC’s blog post.
Example 4: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(5)
Providers participating in the ACO/OHCA may permit the ACO quality committee to access the Protected Health Information (PHI) needed for the quality assessment. An Accountable Care Organization (ACO) that consists of multiple providers operating as an Organized Health Care Arrangement (OHCA) has a quality committee made up of professionals from within the ACO. In order to improve patient health and meet Medicare’s quality improvement requirements, the quality committee plans to obtain and review treatment and health outcomes of ACO patients who experienced hospital-acquired infections and surgical errors.
Where the ACO is not operated as an OHCA, but the quality committee is evaluating care quality on behalf of the individual providers in the ACO, the providers participating in the ACO may permit the ACO quality committee to access the necessary PHI for the quality assessment, but only for patients whom the requesting and disclosing providers have in common, pursuant to 164.506(c)(4), instead for all the patients in the ACO.
In both instances, (OHCA and non-OHCA), access to, or disclosure of, electronic PHI can be made using Certified EHR Technology, so long as the HIPAA Security Rule is complied with.
Example 5: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(1) and (c)(4)
As part of a quality review, a health care provider may need to know the health outcome of a patient that the provider treated but no longer has contact with (e.g., patient was transferred to another provider). The provider may query a Health Information Exchange (HIE) for the relevant health outcomes of the individual, or the provider could directly ask the subsequent provider for information.
Example 6: Population-Based Activities – 45 CFR 164.506(c)(1) and (c)(4)A provider that has treated the patient and is responding to this query may use Certified EHR Technology to send the relevant information directly to the requesting health care provider, or may disclose to the requesting provider using the HIE. Disclosure of electronic PHI by Certified EHR Technology or other electronic means requires HIPAA Security Rule compliance. This scenario also works for health plans with a relationship with the patient; it is not limited to providers.
Unaffiliated hospitals in the same community often see the same patients and may not be able to tell whether a patient’s hospital-acquired infection resulted from care received at the current treating hospital or from a prior visit to a separate hospital in the community.
The hospitals that have treated or are treating the patient may use Certified EHR Technology to share relevant PHI to try to determine the source and/or cause of the infection in order to prevent further infections.
Disclosure of electronic PHI by Certified EHR Technology or other means requires HIPAA Security Rule compliance.
This post concludes the four-part series on HIPAA.