ONC Addresses HIPAA's Role in Interoperability | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC Addresses HIPAA's Role in Interoperability

February 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Health Insurance Portability and Accountability Act (HIPAA) provides many pathways for permissibly exchanging Protected Health Information (PHI) and that's the message the Office for the National Coordinator for Health IT (ONC) wants to get across with a series of blog posts and fact sheets.

Last week, ONC posted the first blog post of what it says will be a series of blog posts and accompanying fact sheets seeking to clarify HIPAA and how it fits into the interoperability framework.

In the blog post on Health IT Buzz, ONC’s Lucia Savage, chief privacy officer and Aja Brooks, a privacy analyst, say many healthcare providers have a misconception that HIPAA impedes the sharing of electronic health data.

“What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care. As illustrated in two new fact sheets we are publishing today, HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI),” Brooks and Savage wrote.

ONC developed the facts sheets with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees policy and enforcement for HIPAA privacy, security and breach notification rules. The fact sheets serve to illustrate examples of when electronic health information can be exchanged “without first requiring an authorization or a writing of some type from the patient, as long as other protections or conditions are met,” Savage and Brooks stated.

Savage and Brooks also point out that the blog post series and supporting fact sheets aim to address concerns ONC frequently hears from providers, such as “whether they can interoperably exchange PHI with each other or payers and whether written patient consent is needed for such exchanges”

“The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities,” they wrote in the blog post.

Future blog posts will cover issues related to exchange of health information for care coordination, care planning and case management between providers and between provider and payers as well as interoperable, permissible exchange of PHI for quality assurance and population-based activities, including via a health information exchange, according to Savage and Brooks’ post.

The first fact sheet focuses on permitted uses and disclosures of PHI for health care operations and outlines instances when covered entities can disclose PHI to another covered entity or its business associate without needing patient consent or authorization, such as conducting quality assessment and improvement activities, developing clinical guidelines, developing protocols and conducting population-based activities relating to improving health or reducing healthcare costs.

The fact sheet also outlines that before a covered entity can share PHI with another covered entity the following three requirements must also be met: both covered entities must have or have had a relationship with the patient, the PHI requested must pertain to the relationship and the discloser must disclose only the minimum information necessary for the healthcare operation at hand. The fact sheet also includes a number of practical scenarios as examples of “permitted uses and disclosures” situations that fall into the healthcare operations category.

The second fact sheet posted outlines permitted uses and disclosures of PHI between and among healthcare providers as it relates to treatment. Specifically, the fact sheet highlights that covered entities may disclose PHI (whether orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization.

The fact sheet highlights the responsibilities that providers have, whether disclosing PHI or receiving PHI, for safeguarding the PHI and complying with HIPAA.

This fact sheet also reviews the role of business associates as it relates to patient information to create care plans and the role of the provider and health plan in that exchange. As outlined in the fact sheet, covered entities such as hospitals and health plans may disclose patients’ relevant PHI for care planning purposes to the requesting providers’ business associate using Certified Electronic Health Record Technology (CEHRT) and other electronic means. Disclosure of electronic PHI by CEHRT or other electronic method requires Security Rule compliance.

And, the fact sheet highlights that a business associate agreement is only required between the covered entity that hired the business associate and that business associate. “The responding covered entities may make permissible disclosures directly to the provider’s business associate for the provider’s care planning purposes (without the need to execute their own business associate agreement with the care planning company), just as they could share this information directly with the provider,” ONC and OCR stated in the fact sheet.

And, the fact sheet clarified that, under HIPAA, the patient’s other providers and health plans, which have sent PHI to the initial treating provider’s business associate, “are not responsible for what the business associate does with the PHI once it has been disclosed permissibly and securely.”


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.