By Lucia Savage, J.D./Chief Privacy Officer, and
Aja Brooks, J.D./Privacy Analyst
Welcome to the third blog post in our series. Blog #2 discussed how HIPAA supports interoperability, and discussed definitions of Treatment and Health Care Operations-functions for which HIPAA supports electronic exchange of health information. This blog post gives additional practical examples of exchange for Treatment and exchange for Health Care Operations. Let’s jump right in.
Example 1: Care Coordination – 45 CFR 164.506(c)(2)
A hospital is preparing to discharge a patient who will need ongoing, facility-based care. The inpatient facility needs to identify a rehabilitation facility to accept the patient. Prospective facilities will need Protected Health Information (PHI) about the patient to determine whether they can provide the right care.
The current hospital may disclose the relevant PHI to prospective facilities without first obtaining the patient’s written authorization. The disclosing hospital may use Certified EHR Technology, so long as the disclosure is done in a manner that meets the HIPAA Security Rule.
This disclosure is a treatment disclosure (in anticipation of future treatment of the patient by the rehabilitation facility) and thus, may be carried out under 45 CFR 164.506(c)(2).
A common question arises in this scenario: because the PHI came from the inpatient facility, will the inpatient facility be held responsible under HIPAA for what the rehabilitation facilities do with the PHI once they have received it in a permissible way under HIPAA? For example, what one of the rehabilitation facilities experiences a breach of the PHI?
Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner. This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).
Example 2: Care Planning By a Provider – 45 CFR 164.506(c)(1) and (c)(2)
A provider wants to ensure that her patients have a comprehensive care plan after they are discharged from the hospital. The provider hires a care planning company (i.e., its BA) to develop these plans for her patients.
To develop the plan, the care planning company requests pertinent PHI about each patient from the patients’ other providers, such as the hospitals to which the patients have been admitted for the same or similar medical care and the patients’ health plans. Each of these covered entities may disclose the relevant PHI for care planning purposes using Certified EHR Technology. Disclosure of electronic PHI by such technology or other electronic method requires HIPAA Security Rule compliance.
Note: In this scenario, a business associate agreement (BAA) is only required between the covered entity that hires the care planning company and that company. The covered entities who permissibly disclose PHI in this scenario may do so directly to the provider’s care planning company for the provider’s care planning purposes (without the need to execute their own BAA) just as they could share this information directly with the provider. Electronic PHI disclosed in this scenario, for example using Certified EHR Technology, must be disclosed consistent with the HIPAA Security Rule.
Under HIPAA, the patients’ other providers and health plans, which have sent PHI to the initial treating provider’s BA, are not responsible for what the BA does with the PHI once it has been sent to the BA for permissible reasons and in a secure manner.
Example 3: Case Management by a Payer – 45 CFR 164.506(c)(1) and (c)(4)
A health plan hires a health care management company to provide semi-monthly nutritional advice and coaching to their diabetic and pre-diabetic members. The care management company is a BA of the health plan. In order to provide appropriate nutritional advice and coaching, the health care management company needs additional information about these individuals to ensure the advice is consistent with the treatment they receive from their providers.
The health care management company may query the relevant providers to obtain information that could impact the nutritional advice. Providers may respond to the query using Certified EHR Technology and may disclose PHI necessary for the case management purpose for which the nutritional coach was hired by the health plan. Disclosure of electronic PHI by Certified EHR Technology or other method requires HIPAA Security Rule compliance.
In this scenario, the disclosures by the providers to the nutritional coach are for the Health Care Operations (“population-based activities relating to improving health or reducing costs” and “case management”) of the health plan, and therefore are Permissible Disclosures under HIPAA.
Note: In this scenario, a BAA is only required between the health plan covered entity and the health care management company it hired. The providers may make permissible disclosures of PHI to that company without a BAA between the discloser and that company.
As in the prior scenarios, the providers sharing PHI with the health care management company hired by the health plan are not responsible under HIPAA for what that company or the health plan subsequently does with the information once it has been sent for a permissible reason and in a secure manner.
Next Time
In our next installment, we will focus on Quality Assessment/Quality Improvement and Population-Based Activities. As always, if you have interoperability questions, feel free to contact ONC at privacyandsecurity@hhs.gov. If you have HIPAA privacy and security questions, contact OCR at OCRPrivacy@hhs.gov.
This blog and the links to HealthIT.gov it contains are provided for informational purposes only. The information contained in this blog is not intended to serve as legal advice nor should it substitute for legal counsel. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
Real HIPAA Blog Series
- Blog post 1: The Real HIPAA Supports Interoperability
- Blog post 2: Permitted Uses and Disclosures
- Blog post 3: Care Coordination, Care Planning, and Case Management Examples
- Blog post 4: Quality Assessment/Quality Improvement and Population-Based Activities Examples
This post was originally published on the Health IT Buzz and is syndicated here with permission.