Some health care providers seem to think that HIPAA’s approach to sharing protected health information (PHI) is “Just say no.” However, HIPAA was never intended to be a roadblock to clinically beneficial disclosures of medical information.
Take, for example, a hospital that is contemplating sharing PHI with a cloud hosting provider, which will make the data available to a health plan and other health care providers for the purpose of developing clinical protocols. Is that type of disclosure permitted under HIPAA?
Permitted PHI Disclosures Under HIPAA
The HIPAA Privacy Rule permits a hospital or other covered entity to disclose PHI for its health care operations purposes. “Health care operations” is defined to include
- “quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines”;
- “population-based activities relating to improving health or reducing health care costs”; and
- protocol development.
It’s worth noting that to fit within this exception, studies resulting from quality assessment and improvement activities cannot be for the primary purpose of obtaining “generalizable knowledge” (meaning research)—they must advance the health care operations of the covered entity.
Similarly, the hospital may share PHI for certain health care operations purposes of the receiving covered entity (in this case, a health plan) if the following conditions are met:
- Both the hospital and the health plan have or had relationships with the individual who is the subject of the PHI.
- The PHI shared relates to such relationships.
- The purpose of the disclosure fits within the first two categories of the definition of “health care operations,” which includes each of the quality assessment, quality improvement, and population-based health purposes listed above.
Therefore, regardless of whether you characterize the disclosures of PHI among the covered entities in our example as furthering the health care operations of the disclosing or the receiving covered entity, the disclosures should be permitted under HIPAA.
Prohibition on the Sale of PHI
In entering into an information-sharing arrangement for clinical protocol development, a hospital should take care not to run afoul of HIPAA’s prohibition on the sale of PHI. The sale of PHI means a disclosure of PHI by a covered entity where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the information in exchange for the PHI. There are exceptions to this prohibition, such as for disclosures for public health or research purposes, but they would not apply to our clinical protocol development scenario.
A sale of PHI is permitted if the covered entity obtains an express HIPAA authorization from the patient whose PHI is being shared, provided that the authorization form discloses that the covered entity is receiving payment. However, in many cases, obtaining patient authorization is not practicable. A covered entity is also permitted to receive a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for purposes of the disclosure.
Applying these rules to our scenario, what if the health plan agrees to award the disclosing hospital with a lucrative provider agreement if the hospital agrees to share PHI for clinical protocol development?
That arrangement could be considered indirect remuneration to the hospital, which would violate HIPAA’s prohibition on the sale of PHI—but the analysis is fact specific.
What if the health plan were considering entering into a joint venture with the hospital that would bring the hospital a return on investment, but makes that deal contingent on the hospital’s sharing of PHI for protocol development?
Once again, such an arrangement could constitute indirect remuneration to the hospital, depending upon the facts and circumstances.
What if the health plan pays the hospital its reasonable costs for mapping or organizing the data so that it would be more useful in clinical protocol development?
That sort of arrangement would probably not constitute a prohibited sale of PHI. And, of course, the cloud hosting service that is storing the PHI for use in clinical protocol development would probably be a business associate of each of the participating covered entities, so business associate agreements would need to be negotiated.
While the HIPAA rules require careful review and navigation, hospitals should not assume that they are necessarily an obstacle to worthy projects such as clinical protocol development among payers and providers.