ONC Addresses HIPAA's Role in Interoperability | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC Addresses HIPAA's Role in Interoperability

February 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Health Insurance Portability and Accountability Act (HIPAA) provides many pathways for permissibly exchanging Protected Health Information (PHI) and that's the message the Office for the National Coordinator for Health IT (ONC) wants to get across with a series of blog posts and fact sheets.

Last week, ONC posted the first blog post of what it says will be a series of blog posts and accompanying fact sheets seeking to clarify HIPAA and how it fits into the interoperability framework.

In the blog post on Health IT Buzz, ONC’s Lucia Savage, chief privacy officer and Aja Brooks, a privacy analyst, say many healthcare providers have a misconception that HIPAA impedes the sharing of electronic health data.

“What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care. As illustrated in two new fact sheets we are publishing today, HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI),” Brooks and Savage wrote.

ONC developed the facts sheets with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees policy and enforcement for HIPAA privacy, security and breach notification rules. The fact sheets serve to illustrate examples of when electronic health information can be exchanged “without first requiring an authorization or a writing of some type from the patient, as long as other protections or conditions are met,” Savage and Brooks stated.

Savage and Brooks also point out that the blog post series and supporting fact sheets aim to address concerns ONC frequently hears from providers, such as “whether they can interoperably exchange PHI with each other or payers and whether written patient consent is needed for such exchanges”

“The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities,” they wrote in the blog post.

Future blog posts will cover issues related to exchange of health information for care coordination, care planning and case management between providers and between provider and payers as well as interoperable, permissible exchange of PHI for quality assurance and population-based activities, including via a health information exchange, according to Savage and Brooks’ post.

The first fact sheet focuses on permitted uses and disclosures of PHI for health care operations and outlines instances when covered entities can disclose PHI to another covered entity or its business associate without needing patient consent or authorization, such as conducting quality assessment and improvement activities, developing clinical guidelines, developing protocols and conducting population-based activities relating to improving health or reducing healthcare costs.

The fact sheet also outlines that before a covered entity can share PHI with another covered entity the following three requirements must also be met: both covered entities must have or have had a relationship with the patient, the PHI requested must pertain to the relationship and the discloser must disclose only the minimum information necessary for the healthcare operation at hand. The fact sheet also includes a number of practical scenarios as examples of “permitted uses and disclosures” situations that fall into the healthcare operations category.

The second fact sheet posted outlines permitted uses and disclosures of PHI between and among healthcare providers as it relates to treatment. Specifically, the fact sheet highlights that covered entities may disclose PHI (whether orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization.

The fact sheet highlights the responsibilities that providers have, whether disclosing PHI or receiving PHI, for safeguarding the PHI and complying with HIPAA.

This fact sheet also reviews the role of business associates as it relates to patient information to create care plans and the role of the provider and health plan in that exchange. As outlined in the fact sheet, covered entities such as hospitals and health plans may disclose patients’ relevant PHI for care planning purposes to the requesting providers’ business associate using Certified Electronic Health Record Technology (CEHRT) and other electronic means. Disclosure of electronic PHI by CEHRT or other electronic method requires Security Rule compliance.

And, the fact sheet highlights that a business associate agreement is only required between the covered entity that hired the business associate and that business associate. “The responding covered entities may make permissible disclosures directly to the provider’s business associate for the provider’s care planning purposes (without the need to execute their own business associate agreement with the care planning company), just as they could share this information directly with the provider,” ONC and OCR stated in the fact sheet.

And, the fact sheet clarified that, under HIPAA, the patient’s other providers and health plans, which have sent PHI to the initial treating provider’s business associate, “are not responsible for what the business associate does with the PHI once it has been disclosed permissibly and securely.”


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.