OCR Releases HIPAA Guidance on Disclosures of PHI to Health Information Exchanges

A new Health Insurance Portability and Accountability Act (HIPAA) Rules guidance has been released by the Department of Health and Human Services’ Office for Civil Rights that address disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an entity that allows electronic PHI (ePHI) sharing between over two unaffiliated entities including health plans, healthcare providers, and business associates. The purpose for sharing ePHI includes patient treatment, billing, or medical operations; for reporting public health activities to PHAs, and for offering other products and services like patient record storage and data collection and analysis.

HIPAA allows using HIEs and disclosing health information to enhance public health, which has become particularly crucial throughout the COVID-19 public health emergency. Under the HIPAA Privacy Rule, HIPAA-covered entities and their business associates can share PHI to an HIE for submitting reports to a PHA that is involved in public health, without getting individual authorization first.

This kind of disclosures are allowed under the following circumstances:

  • If disclosures are mandated by federal, state, local, or other legislation that the court can enforce
  • If the HIE is operating under the authority or agreement with a PHA for a public health action
  • If the HIE is a business associate of the covered entity or another business associate and wants to share ePHI to a PHA for public health reasons*

*The HIPAA Privacy Rule just allows an HIE which is a business associate of the covered entity or another business associate to share ePHI to a PHA for public health reasons when it is specifically mentioned that they can do this in the business associate agreement (BAA) it signed with the covered entity. But because of the COVID-19 public health emergency, OCR issued a notice of enforcement discretion saying that it will not take action against a business associate not expressly permitted to share ePHI to a PHA in their BAA in case it shares ePHI to a PHA in good faith and for public health reasons. In such instances, the business associate should notify the covered entity in 10 calendar days regarding the disclosure. The notice of enforcement discretion is good only until a COVID-19 public health emergency is in effect.

ePHI disclosure by an HIE to a PHA is limited to the minimum required data to accomplish the goal for the disclosure. It is expected to get a request from a PHA to share a summary report to the PHA or HIE as the minimum required PHI to accomplish the public health goal of the ePHI disclosure.

The HIPAA Privacy Rule allows a covered entity to share ePHI to a PHA via an HIE, even though it did not receive a direct request for the PHI from the PHA, as long as the covered entity is aware that the PHA is utilizing the HIE to get such data, or that the HIE is operating on account of the PHA.

Although in this case there is no need to acquire authorizations from persons whose PHI is being disclosed, those persons should be notified regarding the disclosures. That may be done by saying ePHI disclosures will take place for public health reasons in the provider’s Notice of Privacy Practices.

The new OCR guidance, including a number of examples associated with COVID-19, is available on the HHS website.