• Print

Privacy & Security Policy

Computable Privacy in Action

Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, health care entities are not required to get patient consent before using or disclosing Protected Health Information (PHI) for treatment, payment, and health care operations. Entities can share PHI digitally or by phone, fax, or mail.

Although HIPAA does not require that health care entities offer patients a choice about the sharing of their PHI, many entities and states have adopted policies or laws that require patient consent. HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient’s basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange). 

Below are a few examples of the ways Computable Privacy supports data flow in line with the patient’s consent preference. This is not a comprehensive list of scenarios.

Patient is Not Asked for a Consent Decision

When patient consent is not required and HIPAA background rules apply, PHI can flow as shown in the graphic below.  

Graphic shows patient at center, with patient’s information streaming out to entities such as hospitals, doctor’s offices, skilled nursing facilities, and specialists. The entities providing care share the patient’s PHI with one another as appropriate under HIPAA

Flow of PHI When Patient is Not Asked for a Consent Decision

Patient Declines Digital Sharing 

If patient consent is required and a patient makes a consent decision that does not allow her health information to be shared digitally, entities can still exchange the patient’s information. However, in line with HIPAA, the entities must use phone, fax, or mail. These methods can be much slower and costlier than digital sharing. This type of scenario is shown in the graphic below. 

 

: Graphic shows patient at center, with patient’s information streaming out to entities such as hospitals, doctor’s offices, skilled nursing facilities, and specialists. Because the patient made a consent decision to not allow the health care entities to share her information with one another digitally, those entities are using a fax machine to share the information

Flow of PHI when Patient Declines Digital Sharing

Patient Allows Partial Sharing

Sensitive health information, which includes mental health records, adds another layer of complexity to the Computable Privacy environment. The graphic below shows what happens when there are specialized rules for specific clinical categories, such as mental health. In this scenario, a patient chooses to stop her health care entities from sharing her mental health records, but she allows them to share her physical health records.

 

Graphic shows patient at center, with patient’s information streaming out to entities such as hospitals, doctor’s offices, skilled nursing facilities, and specialists. The patient made a consent decision to allow the health care entities to share her physical health information with one another digitally, but she did not approve any sharing of her mental health information. Therefore, her physical health information is flowing between her health care entities, but her mental health records are not being shared

Flow of PHI when Patient Does Not Consent to Mental Health Record Sharing

Adding complexity to sensitive health situations is the fact that privacy laws and policies vary between states and entities. This can complicate a situation where the health entities that want to share patient information are in different states. In addition, Information Technology (IT) systems’ ability to separate a patient’s health information into categories are not always in step with current law and policy. 

ONC Working with States to Enable Computable Privacy

The organizations in today’s Computable Privacy environment are not always able to easily or fully execute a patient’s consent decision. This is why the Office of the National Coordinator for Health Information Technology (ONC) is working with states and other health policy groups to enable Computable Privacy.

Disclaimer

The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.