The Real HIPAA Supports Interoperability

healthitgovnew-200By Lucia Savage, J.D./Chief Privacy Officer, and
Aja Brooks, J.D./Privacy Analyst

At ONC, we hear all of the time that the Health Insurance Portability and Accountability Act (HIPAA) makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. This is a misconception, but unfortunately one that is widespread. This blog series and accompanying fact sheets aim to correct this misunderstanding so that health information is more often available when and where it is needed.

Get to Know HIPAA
What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care. As illustrated in two new fact sheets we are publishing today, HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI). We developed the fact sheets with the Office for Civil Rights (OCR), which oversees policy and enforcement for the HIPAA Privacy, Security and Breach Notification Rules. The fact sheets give numerous examples of when electronic health information can be exchanged without first requiring an authorization or a writing of some type from the patient, so long as other protections or conditions are met.

Download the fact sheets
Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF – 1.3 MB]
Permitted Uses and Disclosures: Exchange for Treatment [PDF – 1.1 MB]

This blog post series (this is #1 of 4) and supporting fact sheets aim to address concerns we frequently hear from providers, such as wondering whether they can interoperably exchange PHI with each other or payers and whether written patient consent is needed for such exchanges. Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA. Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians.

Clearing Up HIPAA Confusion
The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities. We will cover the scenarios in the fact sheets through a four-part blog series here on Health IT Buzz Blog.

Permitted Uses and Disclosures (the focus of these blogs) are situations in which a covered entity is permitted, but not required, to use and disclose PHI without first having to obtain a written authorization from the patient. Instances when a patient’s authorization is not required are listed in the provider’s HIPAA Notice of Privacy Practices. (And remember, under HIPAA, a covered entity’s business associate can perform the health care operations delegated to it in the business associate agreement, ranging from developing care plans (Blog # 3) to transmitting PHI between two covered entities who are permissibly and securely exchanging PHI (Blog #4).)

Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.

We hope the fact sheets and this blog series will be helpful to you and will support your interoperability goals. As always, if you have privacy and security questions concerning interoperability, feel free to contact ONC at privacyandsecurity@hhs.gov. If you have questions about HIPAA privacy and security, please contact OCRPrivacy@hhs.gov. And there is a wealth of information on OCR’s HIPAA website, as well as on HealthIT.gov. In the meantime, let’s seek a deeper understanding of HIPAA and make the most of what it offers. Stay tuned for the next blog post: The Real HIPAA: Permitted Uses and Disclosures.

This blog and the links to HealthIT.gov it contains are provided for informational purposes only. The information contained in this blog is not intended to serve as legal advice nor should it substitute for legal counsel. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

Real HIPAA Blog Series

  • Blog post 1: The Real HIPAA Supports Interoperability
  • Blog post 2: Permitted Uses and Disclosures
  • Blog post 3: Care Coordination, Care Planning, and Case Management Examples – Coming 2/18
  • Blog post 4: Quality Assessment/Quality Improvement and Population-Based Activities Examples – Coming 2/25

This post was originally published on the Health IT Buzz and is syndicated here with permission.