Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?
Answer: Yes. Under the Office of the National Coordinator (ONC) HIT Certification Program rules at 45 CFR 170 Subpart E, ONC-ACBs are authorized to perform EHR technology certification on behalf of ONC. An ONC-ACB is also required as a condition of its accreditation and ONC-authorization to perform surveillance on the EHR technology it certifies to ensure the EHR technology continues to perform in an acceptable manner in the field. In this capacity, ONC-ACBs meet the definition of a “health oversight agency” in the HIPAA Privacy Rule, and a health care provider is permitted to disclose PHI (without patient authorization and without a business associate agreement) to an ONC-ACB during the limited time and as necessary for the ONC-ACB to perform the required on-site surveillance of the certified EHR technology. 45 CFR 164.501, 164.512(d)(1)(iii).