On December 18, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued new guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance addresses important questions related to the definition of a health information exchange (HIE), when covered entities can disclose protected health information (PHI) to an HIE without the individual’s authorization, whether covered entities need a direct request from the public health authority (PHA) to disclose PHI, and whether a covered entity must provide notice to individuals regarding disclosures of PHI for public health purposes. In addition, the guidance provides examples for providers and entities relevant to HIPAA and the COVID-19 pandemic.
Questions addressed in the guidance include:
What is a health information exchange (HIE)?
An HIE is an organization that allows electronic PHI to be shared between more than two entities with no affiliation. This can include healthcare providers, health plans, and business associates, who may share information for purposes related to payment, treatment, or healthcare operations. However, HIEs can offer services to participants, including public health reporting, locating patient records, as well as data collection and analysis.
When does HIPAA allow a covered entity or its busines associate to share PHI with an HIE, in order to report the information to the PHA for carrying out public health activities, without an individual’s permission?
HIPAA permits these disclosures in the following circumstances:
- The disclosure is legally required.
- The HIE is a business associate of the covered entity or other business associate that seeks to provide PHI to a PHA for public health reasons.
- The HIE is under given authority or a contract with a PHA for a public health activity
Can an HIE send PHI it has received by being a business associate of a covered entity to a PHA for public health purposes, without seeking approval from the covered entity first?
This type of disclosure is only allowed during the COVID-19 public health emergency. Penalties on business associate type HIEs will not be imposed for certain HIPAA violations if the HIE sends the PHI received, while acting as the covered entity’s business associate, to a PHA for the purpose of public health activities. This exception applies regardless of whether the business associate agreement with the provider allows for this disclosure or the disclosure has been otherwise authorized by the provider. Penalties will not be imposed until HHS declares the public health emergency no longer exists, or the declared public health emergency expires.
Must a covered entity provide notice to individuals regarding disclosures of PHI to a PHA for public health reasons? Is a business associate HIE required to provide this notice as well?
Yes, covered entities must give individuals notice when it discloses PHI for public health purposes. This notice must be stated in the covered entity’s Notice of Privacy Practices (NPP). Covered entities must include in the NPP a description of the purpose, including public health purposes, that the entity may disclose the information without a person’s consent. However, HIPAA does not require a covered entity to disclose information for public health purposes. Therefore, covered entities may honor an individual’s request not to disclose the PHI, so long as the disclosure is not legally required. Business associates, such as HIE business associates, on the other hand, are not required to give individuals an NPP. However, if an individual requests an accounting of their PHI disclosures, covered entities are required under HIPAA to include disclosures made for public health purposes.
For over 35 years, Wachler & Associates has represented healthcare providers and suppliers nationwide in a variety of health law matters, and our attorneys can assist providers and suppliers in understanding new proposed regulations. If you or your healthcare entity has any questions pertaining to healthcare compliance, please contact an experienced healthcare attorney at 248-544-0888 or firstname.lastname@example.org.