ONC Blog Series Part 4: Quality Assessment/Quality Improvement and Population-Based Activities Examples

The fourth and final installment of the ONC’s four-part blog series on HIPAA, “The Real HIPAA: Quality Assessment/Quality Improvement and Population-Based Activities Examples,” focuses once again on illustrating the interoperability of HIPAA through examples. The examples are a continuation of Part 3 and are taken directly from the ONC’s blog post.

Example 4: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(5)

Providers participating in the ACO/OHCA may permit the ACO quality committee to access the Protected Health Information (PHI) needed for the quality assessment. An Accountable Care Organization (ACO) that consists of multiple providers operating as an Organized Health Care Arrangement (OHCA) has a quality committee made up of professionals from within the ACO. In order to improve patient health and meet Medicare’s quality improvement requirements, the quality committee plans to obtain and review treatment and health outcomes of ACO patients who experienced hospital-acquired infections and surgical errors.

Where the ACO is not operated as an OHCA, but the quality committee is evaluating care quality on behalf of the individual providers in the ACO, the providers participating in the ACO may permit the ACO quality committee to access the necessary PHI for the quality assessment, but only for patients whom the requesting and disclosing providers have in common, pursuant to 164.506(c)(4), instead for all the patients in the ACO.

In both instances, (OHCA and non-OHCA), access to, or disclosure of, electronic PHI can be made using Certified EHR Technology, so long as the HIPAA Security Rule is complied with.

Example 5: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(1) and (c)(4)

As part of a quality review, a health care provider may need to know the health outcome of a patient that the provider treated but no longer has contact with (e.g., patient was transferred to another provider). The provider may query a Health Information Exchange (HIE) for the relevant health outcomes of the individual, or the provider could directly ask the subsequent provider for information.

Example 6: Population-Based Activities – 45 CFR 164.506(c)(1) and (c)(4)A provider that has treated the patient and is responding to this query may use Certified EHR Technology to send the relevant information directly to the requesting health care provider, or may disclose to the requesting provider using the HIE. Disclosure of electronic PHI by Certified EHR Technology or other electronic means requires HIPAA Security Rule compliance. This scenario also works for health plans with a relationship with the patient; it is not limited to providers.

Unaffiliated hospitals in the same community often see the same patients and may not be able to tell whether a patient’s hospital-acquired infection resulted from care received at the current treating hospital or from a prior visit to a separate hospital in the community.

The hospitals that have treated or are treating the patient may use Certified EHR Technology to share relevant PHI to try to determine the source and/or cause of the infection in order to prevent further infections.

Disclosure of electronic PHI by Certified EHR Technology or other means requires HIPAA Security Rule compliance.

This post concludes the four-part series on HIPAA.

ONC Blog Series Part 3: Care Coordination, Care Planning, and Case Management Examples Under HIPAA

In the third installment of ONC’s four-part blog series on HIPAA, care coordination, care planning, and case management are in focus. Blog post Part 3: “The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples” gives additional practical examples of exchange for Treatment and exchange for Health Care Operations. The following examples are taken directly from the ONC’s post.

Example 1: Care Coordination – 45 CFR 164.506(c)(2)

A hospital is preparing to discharge a patient who will need ongoing, facility-based care. The inpatient facility needs to identify a rehabilitation facility to accept the patient. Prospective facilities will need Protected Health Information (PHI) about the patient to determine whether they can provide the right care.

The current hospital may disclose the relevant PHI to prospective facilities without first obtaining the patient’s written authorization. The disclosing hospital may use Certified EHR Technology, so long as the disclosure is done in a manner that meets the HIPAA Security Rule.

This disclosure is a treatment disclosure (in anticipation of future treatment of the patient by the rehabilitation facility) and thus, may be carried out under 45 CFR 164.506(c)(2).

But, you might wonder, because the PHI came from the inpatient facility, will the inpatient facility be held responsible under HIPAA for what the rehabilitation facilities do with the PHI once they have received it in a permissible way under HIPAA?

Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner. This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).

Example 2: Care Planning By a Provider – 45 CFR 164.506(c)(1) and (c)(2)

A provider wants to ensure that her patients have a comprehensive care plan after they are discharged from the hospital. The provider hires a care planning company (i.e., its BA) to develop these plans for her patients.

To develop the plan, the care planning company requests pertinent PHI about each patient from the patients’ other providers, such as the hospitals to which the patients have been admitted for the same or similar medical care and the patients’ health plans. Each of these covered entities may disclose the relevant PHI for care planning purposes using Certified EHR Technology. Disclosure of electronic PHI by such technology or other electronic method requires HIPAA Security Rule compliance.

In this scenario, a business associate agreement (BAA) is only required between the covered entity that hires the care planning company and that company. The covered entities who permissibly disclose PHI in this scenario may do so directly to the provider’s care planning company for the provider’s care planning purposes (without the need to execute their own BAA) just as they could share this information directly with the provider. Electronic PHI disclosed in this scenario, for example using Certified EHR Technology, must be disclosed consistent with the HIPAA Security Rule.

Example 3: Case Management by a Payer – 45 CFR 164.506(c)(1) and (c)(4)

A health plan hires a health care management company to provide semi-monthly nutritional advice and coaching to their diabetic and pre-diabetic members. The care management company is a BA of the health plan. In order to provide appropriate nutritional advice and coaching, the health care management company needs additional information about these individuals to ensure the advice is consistent with the treatment they receive from their providers.

The health care management company may query the relevant providers to obtain information that could impact the nutritional advice. Providers may respond to the query using Certified EHR Technology and may disclose PHI necessary for the case management purpose for which the nutritional coach was hired by the health plan. Disclosure of electronic PHI by Certified EHR Technology or other method requires HIPAA Security Rule compliance.

In this scenario, the disclosures by the providers to the nutritional coach are for the Health Care Operations (“population-based activities relating to improving health or reducing costs” and “case management”) of the health plan, and therefore are Permissible Disclosures under HIPAA. Likewise, a BAA is only required between the health plan covered entity and the health care management company it hired. The providers may make permissible disclosures of PHI to that company without a BAA between the discloser and that company.

Once again, the providers sharing PHI with the health care management company hired by the health plan are not responsible under HIPAA for what that company or the health plan subsequently does with the information once it has been sent for a permissible reason and in a secure manner.