The Real HIPAA: Permitted Uses and Disclosures

Aja Brooks and Lucia Savage | February 11, 2016

Welcome to the second blog in our series on how HIPAA supports exchange of electronic health information for patient care and health. This blog post summarizes the new ONC fact sheets on HIPAA Permitted Uses and Disclosures for exchange (Treatment and Health Care Operations), developed in conjunction with the Office for Civil Rights. This installment answers the questions: What are HIPAA Permitted Uses and Disclosures? And how they support the national priority of interoperability?

 Permitted Uses and Disclosures in HIPAA

The HIPAA Privacy Rule defines when, under federal law, a covered entity may use or disclose an individual’s Protected Health Information (PHI). In general, a covered entity may only use or disclose PHI if either: (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information gives authorization in writing. We note that this blog only discusses HIPAA; other federal or state privacy laws may apply.

For example, the HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities. Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.

Policies the covered entity adopts, however, should account for the covered entity’s needs in an interoperable health care system, where PHI moves when and where individuals need it for treatment, care and health, even among unaffiliated providers or across health IT platforms. If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule. One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else. (OCR recently clarified that, when an individual requests a copy of her PHI and asks that it be sent directly to a third party, a provider must comply except in very narrow circumstances.)

Support of Interoperability

But why are Permitted Uses and Disclosures relevant to the national priority of interoperability? Nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange. HIPAA’s Permitted Uses and Disclosure are rules that run “in the background” in support of this important nationwide goal.

By way of analogy, in trust and estate law, if a person dies without a will, a system of rules is applied to dispose of that person’s property. This set of rules, which “run in the background” ensures orderly disposition of property even when no will is written.

Similarly, HIPAA Permitted Uses and Disclosures “run in the background.” That way, health information is readily available to be shared so that individuals get the right care at the right time. These background rules are made transparent to individuals through Notices of Privacy Practices. And, as to privacy protections, the HIPAA Privacy Rule applies the same whether the PHI is on a piece of paper or is electronic. (The Security Rule, in contrast, applies only to electronic PHI.)

Sharing PHI for Treatment or Health Care Operations of Another Covered Entity

Now, some examples. First up: Exchange for Treatment. Under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. (45 CFR 164.506(c)(2).) Treatment (45 CFR 164.501) is broadly defined. It includes not only what we think of as traditional treatment and diagnosis, but also making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.

Next, a covered entity can disclose PHI to another covered entity (CE) or that CE’s business associate (BA) for the following subset of health care operations activities of the recipient covered entity (45 CFR 164.501) without needing patient consent or authorization (45 CFR 164.506(c)(4):

  • Conducting quality assessment and improvement activities
  • Developing clinical guidelines
  • Conducting patient safety activities as defined in applicable regulations
  • Conducting population-based activities relating to improving health or reducing health care cost
  • Developing protocols
  • Conducting case management and care coordination (including care planning)
  • Contacting health care providers and patients with information about treatment alternatives
  • Reviewing qualifications of health care professionals
  • Evaluating performance of providers and/or health plans
  • Conducting training programs or credentialing activities
  • Supporting fraud and abuse detection and compliance programs.

In general, before a covered entity can share PHI with another covered entity for one of the reasons noted above, the following three requirements must also be met:

  1. Both covered entities must have or have had a relationship with the patient (can be a past or present patient)
  2. The PHI requested must pertain to the relationship
  3. The discloser must disclose only the minimum information necessary for the health care operation at hand.

Under HIPAA’s minimum necessary provisions, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request. (45 CFR 164.502(b)). For example, in sharing information with an individual’s health plan for population health programs (for example, a diabetes management program), a health care provider should disclose the PHI that is necessary for the program to be effective.

If the covered entities are in an “Organized Health Care Arrangement,” or “OHCA,” as defined in the HIPAA Privacy Rule (45 CFR 160.103), additional capabilities may exist for interoperable exchange of PHI.

Next Time

In our next installment, we will delve into Care Management and related topics. As always, if you have questions concerning interoperability, feel free to contact ONC at privacyandsecurity@hhs.gov. If you have questions about HIPAA Privacy and Security, please contact OCRPrivacy@hhs.gov.

This blog and the links to HealthIT.gov it contains are provided for informational purposes only. The information contained in this blog is not intended to serve as legal advice nor should it substitute for legal counsel. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations.  For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

Real HIPAA Blog Series