HIPAA Supports Electronic Exchange of Health Information at the Federal, State, and Local Level

Lucia Savage | January 11, 2017

Important work to ensure the health system is functioning properly is conducted by a wide variety of entities at the federal, state, and local level. These agencies may license health care professionals or health insurance companies, administer a state Medicaid program, monitor compliance and efficacy of health care programs, and even ensure individual civil rights related to how organizations use patients’ health information. This important work sometimes requires that the oversight agency receive health information about individuals, which often raises questions about the Health Insurance Portability and Accountability Act (HIPAA).

To support these activities and to help make sure that these important oversight activities can benefit from our nation’s digital health infrastructure, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR) today published a new fact sheet. This fact sheet explains how a key provision of the HIPAA Privacy Rule permits covered entities to share protected health information (PHI) electronically with health oversight agencies without obtaining written authorization from the individual or patient. For a comprehensive discussion of the HIPAA Privacy Rule and Health Information Technology, see ONC’s Guide to Privacy and Security of Electronic Health Information.

The new fact sheet uses illustrated and easy-to-understand examples explaining how this HIPAA provision works across settings where health oversight occurs. These examples include:

  • A health plan that shares beneficiary PHI with the state health insurance commissioner responsible for evaluating insurers’ conduct in the marketplace;
  • A physician who sends her patients’ PHI to the state medical board investigating patient complaints;
  • A nursing home that sends PHI to the state Medicaid fraud office in response to its request for data that could validate compliance with Medicaid billing guidelines;
  • A hospital that shares PHI with the U.S. Food and Drug Administration in connection to an investigation about the safety of certain implantable devices;
  • A health plan sending beneficiary enrollment PHI to a state insurance department conducting an audit to ensure civil rights compliance; and
  • Providers disclosing PHI to Centers for Medicare and Medicaid Services (CMS) contractors conducting Medicaid compliance work on behalf of CMS.

The health oversight fact sheet also describes how important provisions of the HIPAA Privacy and Security Rules may apply to exchanges of health information for health oversight, such as the ‘minimum necessary’ rule or data Security Rule considerations.

The new fact sheet is part of the collection of ONC/OCR fact sheets and ONC’s blog series explaining how HIPAA not only keeps patient data secure, but also improves the flow of health information. Topics explained in this series include how covered entities are permitted to share PHI for important activities, including treatment, payment, health care operations and public health activities.