Getty Images

OCR Guide on HIPAA-Compliant PHI Disclosures Via HIEs, Amid COVID-19

Recent OCR guidance sheds light on HIPAA-permitted disclosures of protected health information via HIEs for public health activities amid COVID-19.

The Office for Civil Rights recently released guidance for covered entities and business associates on HIPAA-permitted disclosures of protected health information through the use of health information exchanges (HIE) for public health activities, particularly during COVID-19.

The insights join a number of previous COVID-19-related guidelines provided by OCR during the national crisis to ensure appropriate and necessary data disclosures, which can help support the overall coronavirus response in the US.

The latest guide sheds light on HIEs, HIPAA-compliant PHI disclosures, and public health activities of a public health authority (PHA), as well as examples relevant to the public health emergency.

These insights shed light on the HIPAA rule and are designed to help providers and relevant business associates better understand how to remain compliant when leveraging HIEs for data sharing.

“OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency," said OCR Director Roger Severino, in a statement.

For the purpose of the guidance, OCR defines an HIE as “an organization that enables the sharing of electronic PHI among more than two unaffiliated entities, such as healthcare providers, health plans, and business associates, for treatment, payment, or healthcare operations purposes.”

HIEs can also provide other services and functions to participants, such as public health reporting to PHAs, patient record location, and data aggregation and analysis. Examples of HIEs include both nationwide and statewide HIEs, regional health information organizations (RHIOs), and certain clinical data registries.

Providers can leverage the OCR guidance to determine when the HIPAA rule permits a covered entity or business associate to disclose PHI to an HIE, when it comes to reporting PHI to a PHA without an individual’s authorization. Under HIPAA, some PHI disclosures to HIEs is permitted in this manner, including when required by law.

“For example, where a state law requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department, the covered hospital would not violate the Privacy Rule when it transmits the data to an HIE for that purpose,” according to the insights.

The insights also shed light on how HIEs can be leveraged by business associates, while remaining compliant with the HIPAA rule. HIPAA has specific methods business associates must use to remain compliant, although OCR previously lifted some enforcement measures amid the COVID-19 crisis.

OCR also provided insights for when an HIE is acting under a grant of authority or contract with a PHA for a public health activity and relevant compliance concerns. The guide stressed that a covered entity is permitted to rely on a PHA’s request to disclose a summary record to a PHA or HIE, as being the minimum necessary PHI needed to accomplish the public health purpose.

Further, the guide explained that covered entities are indeed permitted to disclose PHI to a PHA through an HIE without a direct request from the PHA to do so, “if the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.”

An HIE is also permitted to provide PHI it received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from a covered entity during the COVID-19 public health emergency.

“OCR will not impose penalties on a business associate HIE for violations of certain provisions of the Privacy Rule if the HIE transmits PHI it receives as a covered entity’s business associate to a PHA for the PHA’s public health activities, regardless of whether the HIE’s BAA with the health care provider permits such disclosure or the provider otherwise authorizes the disclosure,” according to the guide.

“As provided in the Business Associate NED, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule... and if, and only if the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR... or health oversight activities consistent with 45 CFR; and (2) the business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time),” it added.

Providers should refer to the guidance for full information on the HIE guidance as it pertains to the public health emergency, in order to ensure compliance with the privacy rule.

Next Steps

Dig Deeper on HIPAA compliance and regulation