HHS Clarifies HIPAA Data Sharing Rules

After seeking feedback from covered entities about aspects of the Health Insurance Portability and Accountability Act that are causing confusion, the U.S Department of Health and Human Services has published two fact sheets to improve understanding of HIPAA data sharing rules. If a fully interoperable health system is to be developed, it is essential that HIPAA-covered entities understand HIPAA data sharing rules. It is hoped that these two information sources will help to explain when data can be shared without permission being obtained from the patient.

Covered Entities Confused About HIPAA Data Sharing Rules

The two factsheets were produced by the HHS’ National Coordinator for Health IT and Office for Civil Rights, and cover two separate aspects of information sharing. The first factsheet tackles the issue of disclosures of protected health information for healthcare operations, as stipulated in 45 Code of Federal Regulations (CFR) 164.506(c)(4). The second factsheet deals with the sharing of PHI as part of the provision of treatment, as explained in 45 Code of Federal Regulations (CFR) 164.506(c)(2).

The HIPAA Privacy Rule both permits and prohibits the sharing of PHI without prior consent being obtained from patients, depending on the circumstances. The sharing of PHI is permitted between healthcare providers for certain healthcare operations, and HIPAA-covered entities are also allowed to share PHI with their business associates, provided the data are needed in order for certain healthcare operations to be conducted. Whenever data need to be shared, information should be limited to the minimum necessary for a task to be performed.

HIPAA data sharing rules require both covered entities to have a relationship and for the data sharing to pertain to that relationship. Before data can be shared with a business associate, a signed copy of a business associate agreement (BAA) must be obtained.

Typical reasons for sharing data include the development of clinical guidelines, conducting quality assessments, developing protocols, conducting training programs, contacting healthcare companies about treatment alternatives, supporting fraud detection, and evaluating the performance of health plans or healthcare providers. The first factsheet offers two examples of how HIPAA data sharing rules apply when exchanging data for quality assessment and quality improvement.

The second factsheet aims to clear up confusion about when PHI can be shared as part of the provision of treatment to a patient. HIPAA data sharing rules allow covered entities to share PHI with another healthcare provider to allow a patient to receive treatment. The data can be shared in order to coordinate, provide, or manage a patient’s care, provided that the covered entity providing the data transmits the information securely. The covered entity receiving data must agree to implement the necessary safeguards to prevent any unauthorized disclosures, as required by the HIPAA Security Rule. Examples are given to explain when data sharing is possible, including between a surgeon and a treating physician, as well as between a primary care physician, a Business Associate, and a health plan.

The two fact sheets can be downloaded on the following links:

Permitted Uses and Disclosures: Exchange for Health Care Operations: Factsheet 1

HIPAA Permitted Uses and Disclosures: Exchange for Treatment: Factsheet 2

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news