Last Friday, the U.S. Department of Health and Human Services Office of the National Coordinator for Health IT (“ONC”) and the Office for Civil Rights (“OCR”) released two fact sheets regarding permitted uses and disclosures of protected health information (“PHI”) among health care providers and other entities covered by HIPAA. ONC and OCR developed these fact sheets after health care providers expressed confusion over if and when PHI can be shared without the patient’s prior written consent under the HIPAA Privacy Rule (the “Privacy Rule”). Additionally, as ONC has been actively pushing health care providers toward interoperability of electronic health recordkeeping systems, many view the lack of clarity and understanding around the Rules a hindrance to achieving this goal.
In the fact sheets, ONC and OCR provide specific examples of these uses and disclosures allowed by HIPAA if particular safeguards have been established. The first fact sheet is directed toward Covered Entities and addresses uses and disclosures for health care operations. The first fact sheet reminds Covered Entities that a Covered Entity can disclose PHI to another Covered Entity or the Covered Entity’s business associate for certain health care operations of the Covered Entity receiving the patient information. Such health care operations include developing protocols or clinical guidelines, performing case management or care coordination, and implementing quality assessment or improvement activities. However, Covered Entities may only exchange PHI in these instances if (1) the other Covered Entity also has a relationship with the patient; (2) the PHI relates to the relationship between the Covered Entity and patient; and (3) the Covered Entity discloses the minimum information necessary to accomplish the health care operation.
The second fact sheet provides examples of when Covered Entities may share PHI for a patient’s treatment. The Privacy Rule broadly defines treatment to include providing, coordinating, and managing a patient’s care, as well as consulting between providers and referring patients to another provider. The fact sheet clarifies that when one Covered Entity properly provides PHI to another Covered Entity for a patient’s treatment, the disclosing entity is responsible for securely transmitting the information, and the receiving entity is responsible for safeguarding the information once received. The fact sheet describes the requirements for different relationships between Covered Entities, such as between a hospital and the patient’s physician, a physician and a care planning company hiring to coordinate care for the physician’s patients, and a hospital and long-term care facility to which a patient is discharged.
The fact sheets do not alter the ways in which Covered Entities may use PHI for health care operations or treatment, but they do provide useful guidance to Covered Entities for when and how PHI may be shared.