Computable Privacy in Action
Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, health care entities are not required to get patient consent before using or disclosing Protected Health Information (PHI) for treatment, payment, and health care operations. Entities can share PHI digitally or by phone, fax, or mail.
Although HIPAA does not require that health care entities offer patients a choice about the sharing of their PHI, many entities and states have adopted policies or laws that require patient consent. HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient’s basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange).
Below are a few examples of the ways Computable Privacy supports data flow in line with the patient’s consent preference. This is not a comprehensive list of scenarios.
Patient is Not Asked for a Consent Decision
When patient consent is not required and HIPAA background rules apply, PHI can flow as shown in the graphic below.
Flow of PHI When Patient is Not Asked for a Consent Decision
Patient Declines Digital Sharing
If patient consent is required and a patient makes a consent decision that does not allow her health information to be shared digitally, entities can still exchange the patient’s information. However, in line with HIPAA, the entities must use phone, fax, or mail. These methods can be much slower and costlier than digital sharing. This type of scenario is shown in the graphic below.
Flow of PHI when Patient Declines Digital Sharing
Patient Allows Partial Sharing
Sensitive health information, which includes mental health records, adds another layer of complexity to the Computable Privacy environment. The graphic below shows what happens when there are specialized rules for specific clinical categories, such as mental health. In this scenario, a patient chooses to stop her health care entities from sharing her mental health records, but she allows them to share her physical health records.
Flow of PHI when Patient Does Not Consent to Mental Health Record Sharing
Adding complexity to sensitive health situations is the fact that privacy laws and policies vary between states and entities. This can complicate a situation where the health entities that want to share patient information are in different states. In addition, Information Technology (IT) systems’ ability to separate a patient’s health information into categories are not always in step with current law and policy.
ONC Working with States to Enable Computable Privacy
The organizations in today’s Computable Privacy environment are not always able to easily or fully execute a patient’s consent decision. This is why the Office of the National Coordinator for Health Information Technology (ONC) is working with states and other health policy groups to enable Computable Privacy.
The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.