The U.S. Department of Health and Human Services’ Office of Civil Rights on Friday issued guidance addressing how HIPAA permits the use of health information exchanges to disclose protected health information for public health purposes.
A covered entity is required to provide individuals with notice that it discloses protected health information for public health activities, the guidance read.
“OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency,” OCR Director Roger Severino said in a statement.
WHY IT MATTERS
The guidance outlines several circumstances in which such disclosures are permitted without an individual’s authorization, including:
- When the disclosure is required by federal, state, local or other law.
- When an HIE is a business associate of the covered entity that wishes to provide the information to a public health authority for public health.
- When an HIE is acting under a grant of authority or contract with a public health authority for a public health activity.
“A covered laboratory may report patient test results (PHI) through an HIE that receives and transmits the PHI to a PHA, when the HIE is performing this data transmission on behalf of the laboratory as the laboratory’s business associate,” explained the guidance.
OCR also noted that it will not impose penalties on a business associate HIE for disclosing information to a public health authority during the COVID-19 emergency when its business associate agreements do not authorize the disclosure.
The guidance likely will be particularly relevant as the COVID-19 pandemic continues to wreak havoc throughout the country. As OCR noted, “A state PHA can engage an HIE to collect test results and associated patient information from health care providers and then transmit that information into the state’s electronic contact tracing system.”
OCR also said that when a public health authority requests a summary record or another specified data set of protected health information, a covered hospital, laboratory or other provider may reasonably rely on that authority to be requesting the minimum necessary information.
“In such cases, the Privacy Rule does not require a covered entity to make an independent determination of minimum necessary when responding to a request from a PHA for the PHA’s public health activities,” wrote OCR.
For example, this could be the case when “the Centers for Disease Control and Prevention (CDC), in its capacity as a PHA, requests that health care providers disclose PHI on an ongoing basis for all prior and current cases of patients exposed to COVID-19, whether suspected or confirmed, using Electronic Case Reporting (eCR), the automated generation and transmission of case reports from EHRs to public health agencies, for review and action.”
A covered entity can also disclose information to an authority through an HIE without receiving a direct request from the authority, said OCR. During the public health emergency, an HIE may also provide protected health information it’s received from a business associate to an authority without obtaining permission from the covered entity.
THE LARGER TREND
Health information exchanges already have proved useful during the COVID-19 crisis. For instance, Health Current, Arizona’s statewide HIE, told Healthcare IT News in March that it had pivoted to focus on marshalling healthcare-data resources across the state in response to the COVID-19 crisis.
“We see ourselves as a partner here in Arizona to make sure that we’re providing the best care possible. So we see ourselves definitely as a piece of that puzzle,” Health Current CIO Keith Parker told HITN.
The Office of the National Coordinator for Health IT also announced in August that it plans to bolster existing HIE infrastructure, so public health agencies are able to better access, share and use health data, during and after the COVID-19 pandemic.
ON THE RECORD
“An HIE that is in a business associate relationship with a covered entity will not be subject to HIPAA penalties if the HIE (1) transmits summary records about individuals diagnosed with COVID-19 to the city health department that is collecting the information to track COVID-19, regardless of whether that public health disclosure is permitted by the HIE’s [business associate agreement] with the covered health care provider; and (2) notifies the covered entity, within 10 days after it first transmitted such information to the city health department, that it is providing such information to the health department,” explained OCR.