ONC Addresses HIPAA's Role in Interoperability | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC Addresses HIPAA's Role in Interoperability

February 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Health Insurance Portability and Accountability Act (HIPAA) provides many pathways for permissibly exchanging Protected Health Information (PHI) and that's the message the Office for the National Coordinator for Health IT (ONC) wants to get across with a series of blog posts and fact sheets.

Last week, ONC posted the first blog post of what it says will be a series of blog posts and accompanying fact sheets seeking to clarify HIPAA and how it fits into the interoperability framework.

In the blog post on Health IT Buzz, ONC’s Lucia Savage, chief privacy officer and Aja Brooks, a privacy analyst, say many healthcare providers have a misconception that HIPAA impedes the sharing of electronic health data.

“What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care. As illustrated in two new fact sheets we are publishing today, HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI),” Brooks and Savage wrote.

ONC developed the facts sheets with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees policy and enforcement for HIPAA privacy, security and breach notification rules. The fact sheets serve to illustrate examples of when electronic health information can be exchanged “without first requiring an authorization or a writing of some type from the patient, as long as other protections or conditions are met,” Savage and Brooks stated.

Savage and Brooks also point out that the blog post series and supporting fact sheets aim to address concerns ONC frequently hears from providers, such as “whether they can interoperably exchange PHI with each other or payers and whether written patient consent is needed for such exchanges”

“The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities,” they wrote in the blog post.

Future blog posts will cover issues related to exchange of health information for care coordination, care planning and case management between providers and between provider and payers as well as interoperable, permissible exchange of PHI for quality assurance and population-based activities, including via a health information exchange, according to Savage and Brooks’ post.

The first fact sheet focuses on permitted uses and disclosures of PHI for health care operations and outlines instances when covered entities can disclose PHI to another covered entity or its business associate without needing patient consent or authorization, such as conducting quality assessment and improvement activities, developing clinical guidelines, developing protocols and conducting population-based activities relating to improving health or reducing healthcare costs.

The fact sheet also outlines that before a covered entity can share PHI with another covered entity the following three requirements must also be met: both covered entities must have or have had a relationship with the patient, the PHI requested must pertain to the relationship and the discloser must disclose only the minimum information necessary for the healthcare operation at hand. The fact sheet also includes a number of practical scenarios as examples of “permitted uses and disclosures” situations that fall into the healthcare operations category.

The second fact sheet posted outlines permitted uses and disclosures of PHI between and among healthcare providers as it relates to treatment. Specifically, the fact sheet highlights that covered entities may disclose PHI (whether orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization.

The fact sheet highlights the responsibilities that providers have, whether disclosing PHI or receiving PHI, for safeguarding the PHI and complying with HIPAA.

This fact sheet also reviews the role of business associates as it relates to patient information to create care plans and the role of the provider and health plan in that exchange. As outlined in the fact sheet, covered entities such as hospitals and health plans may disclose patients’ relevant PHI for care planning purposes to the requesting providers’ business associate using Certified Electronic Health Record Technology (CEHRT) and other electronic means. Disclosure of electronic PHI by CEHRT or other electronic method requires Security Rule compliance.

And, the fact sheet highlights that a business associate agreement is only required between the covered entity that hired the business associate and that business associate. “The responding covered entities may make permissible disclosures directly to the provider’s business associate for the provider’s care planning purposes (without the need to execute their own business associate agreement with the care planning company), just as they could share this information directly with the provider,” ONC and OCR stated in the fact sheet.

And, the fact sheet clarified that, under HIPAA, the patient’s other providers and health plans, which have sent PHI to the initial treating provider’s business associate, “are not responsible for what the business associate does with the PHI once it has been disclosed permissibly and securely.”

 

Topics

News

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.