ONC Blog Series Part 2: Permitted Uses and Disclosures in HIPAA

In our continuing coverage of the ONC’s four-part blog series, we focus today on Part 2: “The Real HIPAA: Permitted Uses and Disclosures.” This blog post summarizes the new ONC fact sheets on HIPAA Permitted Uses and Disclosures for exchange, developed in conjunction with the Office for Civil Rights.

The HIPAA Privacy Rule defines when, under federal law, a covered entity may use or disclose an individual’s Protected Health Information (PHI). In general, a covered entity may only use or disclose PHI if either: (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information gives authorization in writing.

The HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities. Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.

If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule. One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else.

OCR recently clarified that, when an individual requests a copy of her PHI and asks that it be sent directly to a third party, a provider must comply except in very narrow circumstances.

In regards to the national priority of interoperability, nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange. HIPAA’s Permitted Uses and Disclosure are rules that run “in the background” in support of this important nationwide goal. These background rules are made transparent to individuals through Notices of Privacy Practices. And, as to privacy protections, the HIPAA Privacy Rule applies the same whether the PHI is on a piece of paper or is electronic. (The Security Rule, in contrast, applies only to electronic PHI.)

ONC has released two new fact sheets to breakdown HIPAA’s permitted uses and disclosures.

Exchange for Treatment [PDF]

Exchange for Healthcare Operations [PDF]

As discussed in the Exchange for Treatment fact sheet, under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. Treatment is broadly defined. It includes making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.

Likewise, a covered entity can disclose PHI to another covered entity (CE) or that CE’s business associate (BA) for the following subset of health care operations activities of the recipient covered entity without needing patient consent or authorization:

• Conducting quality assessment and improvement activities
• Developing clinical guidelines
• Conducting patient safety activities as defined in applicable regulations
• Conducting population-based activities relating to improving health or reducing health care cost
• Developing protocols
• Conducting case management and care coordination (including care planning)
• Contacting health care providers and patients with information about treatment alternatives
• Reviewing qualifications of health care professionals
• Evaluating performance of providers and/or health plans
• Conducting training programs or credentialing activities
• Supporting fraud and abuse detection and compliance programs.

In general, before a covered entity can share PHI with another covered entity for one of the reasons noted above, the following three requirements must also be met:

1. Both covered entities must have or have had a relationship with the patient (can be a past or present patient)
2. The PHI requested must pertain to the relationship
3. The discloser must disclose only the minimum information necessary for the health care operation at hand.

Under HIPAA’s minimum necessary provisions, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request.  If the covered entities are in an “Organized Health Care Arrangement,” or “OHCA,” as defined in the HIPAA Privacy Rule (45 CFR 160.103), additional capabilities may exist for interoperable exchange of PHI.