OCR Confirms HIPAA Rules on Disclosures of PHI to Health Information Exchanges

The Department of Health and Human Services’ Office for Civil Rights has published guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules related to disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

HIEs are organizations that facilitate the sharing of electronic PHI (ePHI) between more than two unaffiliated bodies, including as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare procedures, for public health reporting to PHAs, and as part of other functions and services they provide to HIPAA-covered entities, such as patient record location and data analysis.

HIPAA supports the use of HIEs and the allows health data to be shared to improve public health, which has been especially vital during the COVID-19 public health emergency. The HIPAA Privacy Rule allows HIPAA-covered entities and their business associates to share ePHI with an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual permission to be given.

Such disclosures are permitted under the following instances:

  • When sharing is required by federal, state, local, or other legal acts that are enforceable in court
  • When the HIE acts under a grant of authority or has a contract in place with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and would like to supply ePHI to a PHA for public health reasons

The HIPAA Privacy Rule only allows an HIE which is a business associate of the covered entity or another business associate to share ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier in 2020 in response to the COVID-19 public health emergency, OCR published a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes. That includes if their business associate agreement does not expressly permit such a disclosure. Sanctions and penalties will be waived provided the covered entity is notified about such as disclosure within 10 calendar days. When the Secretary of the HHS declares the COVID-19 public health emergency over, such sharing will no longer be allowed unless expressly stated in the BAA.

The minimum necessary standard applies to the sharing of ePHI by an HIE to a PHA. A covered entity can depend on a PHA’s request to share a summary record to the PHA or HIE as being the minimum amount of PHI required to achieve its public health purpose.

A covered entity is allowed under the HIPAA Privacy Rule to share ePHI with a PHA via an HIE, even if a direct request for the PHI is not submitted by the PHA, as long as the covered entity is aware that the PHA is using the HIE to gather such data for a public health activity, or that the HIE is acting for the PHA.

While the above sharing of ePHI for public health reasons does not require permission to be obtained from the individuals whose PHI is being disclosed, those individuals must be alerted about such disclosures in thecovered entity’s Notice of Privacy Practices.

You can view the OCR guidance, here.

Author: Maria Perez