ONC Blog Series Part 4: Quality Assessment/Quality Improvement and Population-Based Activities Examples

The fourth and final installment of the ONC’s four-part blog series on HIPAA, “The Real HIPAA: Quality Assessment/Quality Improvement and Population-Based Activities Examples,” focuses once again on illustrating the interoperability of HIPAA through examples. The examples are a continuation of Part 3 and are taken directly from the ONC’s blog post.

Example 4: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(5)

Providers participating in the ACO/OHCA may permit the ACO quality committee to access the Protected Health Information (PHI) needed for the quality assessment. An Accountable Care Organization (ACO) that consists of multiple providers operating as an Organized Health Care Arrangement (OHCA) has a quality committee made up of professionals from within the ACO. In order to improve patient health and meet Medicare’s quality improvement requirements, the quality committee plans to obtain and review treatment and health outcomes of ACO patients who experienced hospital-acquired infections and surgical errors.

Where the ACO is not operated as an OHCA, but the quality committee is evaluating care quality on behalf of the individual providers in the ACO, the providers participating in the ACO may permit the ACO quality committee to access the necessary PHI for the quality assessment, but only for patients whom the requesting and disclosing providers have in common, pursuant to 164.506(c)(4), instead for all the patients in the ACO.

In both instances, (OHCA and non-OHCA), access to, or disclosure of, electronic PHI can be made using Certified EHR Technology, so long as the HIPAA Security Rule is complied with.

Example 5: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(1) and (c)(4)

As part of a quality review, a health care provider may need to know the health outcome of a patient that the provider treated but no longer has contact with (e.g., patient was transferred to another provider). The provider may query a Health Information Exchange (HIE) for the relevant health outcomes of the individual, or the provider could directly ask the subsequent provider for information.

Example 6: Population-Based Activities – 45 CFR 164.506(c)(1) and (c)(4)A provider that has treated the patient and is responding to this query may use Certified EHR Technology to send the relevant information directly to the requesting health care provider, or may disclose to the requesting provider using the HIE. Disclosure of electronic PHI by Certified EHR Technology or other electronic means requires HIPAA Security Rule compliance. This scenario also works for health plans with a relationship with the patient; it is not limited to providers.

Unaffiliated hospitals in the same community often see the same patients and may not be able to tell whether a patient’s hospital-acquired infection resulted from care received at the current treating hospital or from a prior visit to a separate hospital in the community.

The hospitals that have treated or are treating the patient may use Certified EHR Technology to share relevant PHI to try to determine the source and/or cause of the infection in order to prevent further infections.

Disclosure of electronic PHI by Certified EHR Technology or other means requires HIPAA Security Rule compliance.

This post concludes the four-part series on HIPAA.

ONC Blog Series Part 3: Care Coordination, Care Planning, and Case Management Examples Under HIPAA

In the third installment of ONC’s four-part blog series on HIPAA, care coordination, care planning, and case management are in focus. Blog post Part 3: “The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples” gives additional practical examples of exchange for Treatment and exchange for Health Care Operations. The following examples are taken directly from the ONC’s post.

Example 1: Care Coordination – 45 CFR 164.506(c)(2)

A hospital is preparing to discharge a patient who will need ongoing, facility-based care. The inpatient facility needs to identify a rehabilitation facility to accept the patient. Prospective facilities will need Protected Health Information (PHI) about the patient to determine whether they can provide the right care.

The current hospital may disclose the relevant PHI to prospective facilities without first obtaining the patient’s written authorization. The disclosing hospital may use Certified EHR Technology, so long as the disclosure is done in a manner that meets the HIPAA Security Rule.

This disclosure is a treatment disclosure (in anticipation of future treatment of the patient by the rehabilitation facility) and thus, may be carried out under 45 CFR 164.506(c)(2).

But, you might wonder, because the PHI came from the inpatient facility, will the inpatient facility be held responsible under HIPAA for what the rehabilitation facilities do with the PHI once they have received it in a permissible way under HIPAA?

Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner. This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).

Example 2: Care Planning By a Provider – 45 CFR 164.506(c)(1) and (c)(2)

A provider wants to ensure that her patients have a comprehensive care plan after they are discharged from the hospital. The provider hires a care planning company (i.e., its BA) to develop these plans for her patients.

To develop the plan, the care planning company requests pertinent PHI about each patient from the patients’ other providers, such as the hospitals to which the patients have been admitted for the same or similar medical care and the patients’ health plans. Each of these covered entities may disclose the relevant PHI for care planning purposes using Certified EHR Technology. Disclosure of electronic PHI by such technology or other electronic method requires HIPAA Security Rule compliance.

In this scenario, a business associate agreement (BAA) is only required between the covered entity that hires the care planning company and that company. The covered entities who permissibly disclose PHI in this scenario may do so directly to the provider’s care planning company for the provider’s care planning purposes (without the need to execute their own BAA) just as they could share this information directly with the provider. Electronic PHI disclosed in this scenario, for example using Certified EHR Technology, must be disclosed consistent with the HIPAA Security Rule.

Example 3: Case Management by a Payer – 45 CFR 164.506(c)(1) and (c)(4)

A health plan hires a health care management company to provide semi-monthly nutritional advice and coaching to their diabetic and pre-diabetic members. The care management company is a BA of the health plan. In order to provide appropriate nutritional advice and coaching, the health care management company needs additional information about these individuals to ensure the advice is consistent with the treatment they receive from their providers.

The health care management company may query the relevant providers to obtain information that could impact the nutritional advice. Providers may respond to the query using Certified EHR Technology and may disclose PHI necessary for the case management purpose for which the nutritional coach was hired by the health plan. Disclosure of electronic PHI by Certified EHR Technology or other method requires HIPAA Security Rule compliance.

In this scenario, the disclosures by the providers to the nutritional coach are for the Health Care Operations (“population-based activities relating to improving health or reducing costs” and “case management”) of the health plan, and therefore are Permissible Disclosures under HIPAA. Likewise, a BAA is only required between the health plan covered entity and the health care management company it hired. The providers may make permissible disclosures of PHI to that company without a BAA between the discloser and that company.

Once again, the providers sharing PHI with the health care management company hired by the health plan are not responsible under HIPAA for what that company or the health plan subsequently does with the information once it has been sent for a permissible reason and in a secure manner.

ONC Blog Series Part 2: Permitted Uses and Disclosures in HIPAA

In our continuing coverage of the ONC’s four-part blog series, we focus today on Part 2: “The Real HIPAA: Permitted Uses and Disclosures.” This blog post summarizes the new ONC fact sheets on HIPAA Permitted Uses and Disclosures for exchange, developed in conjunction with the Office for Civil Rights.

The HIPAA Privacy Rule defines when, under federal law, a covered entity may use or disclose an individual’s Protected Health Information (PHI). In general, a covered entity may only use or disclose PHI if either: (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information gives authorization in writing.

The HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities. Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.

If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule. One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else.

OCR recently clarified that, when an individual requests a copy of her PHI and asks that it be sent directly to a third party, a provider must comply except in very narrow circumstances.

In regards to the national priority of interoperability, nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange. HIPAA’s Permitted Uses and Disclosure are rules that run “in the background” in support of this important nationwide goal. These background rules are made transparent to individuals through Notices of Privacy Practices. And, as to privacy protections, the HIPAA Privacy Rule applies the same whether the PHI is on a piece of paper or is electronic. (The Security Rule, in contrast, applies only to electronic PHI.)

ONC has released two new fact sheets to breakdown HIPAA’s permitted uses and disclosures.

Exchange for Treatment [PDF]

Exchange for Healthcare Operations [PDF]

As discussed in the Exchange for Treatment fact sheet, under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. Treatment is broadly defined. It includes making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.

Likewise, a covered entity can disclose PHI to another covered entity (CE) or that CE’s business associate (BA) for the following subset of health care operations activities of the recipient covered entity without needing patient consent or authorization:

• Conducting quality assessment and improvement activities
• Developing clinical guidelines
• Conducting patient safety activities as defined in applicable regulations
• Conducting population-based activities relating to improving health or reducing health care cost
• Developing protocols
• Conducting case management and care coordination (including care planning)
• Contacting health care providers and patients with information about treatment alternatives
• Reviewing qualifications of health care professionals
• Evaluating performance of providers and/or health plans
• Conducting training programs or credentialing activities
• Supporting fraud and abuse detection and compliance programs.

In general, before a covered entity can share PHI with another covered entity for one of the reasons noted above, the following three requirements must also be met:

1. Both covered entities must have or have had a relationship with the patient (can be a past or present patient)
2. The PHI requested must pertain to the relationship
3. The discloser must disclose only the minimum information necessary for the health care operation at hand.

Under HIPAA’s minimum necessary provisions, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request.  If the covered entities are in an “Organized Health Care Arrangement,” or “OHCA,” as defined in the HIPAA Privacy Rule (45 CFR 160.103), additional capabilities may exist for interoperable exchange of PHI.

ONC Blog Series Part 1: HIPAA and Interoperability

In February 2016, The Office of the National Coordinator for Health Information Technology (ONC) launched a new four-part blog series to explain the permitted uses of health information under HIPAA. The series emphasizes that HIPAA not only protects personal health information from misuse, it also enables personal health information to be accessed, used or disclosed interoperably, when and where it is needed for patient care.

We begin our coverage of the four-part series with Part 1: “The Real HIPAA Supports Interoperability.” This introductory post establishes HIPAA as serving the dual functions of protecting personal health information from misuse and also enabling personal health information to be used between Covered Entities (CE) under specific conditions.

ONC released two new fact sheets which give numerous examples of when electronic health information can be exchanged without first requiring an authorization or a writing of some type from the patient, so long as other protections or conditions are met. HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI).

Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF – 1.3 MB]

Permitted Uses and Disclosures: Exchange for Treatment [PDF – 1.1 MB]

The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities.

Next week, the blog series will continue to delve further into Permitted Uses and Disclosures. As per ONC, Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.