Sharing PHI Electronically
Many people don’t realize that the Health Insurance Portability and Accountability Act (HIPAA) actually enables information sharing. HIPAA (specifically the HIPAA Privacy Rule) defines the circumstances in which a Covered Entity (CE) may use or disclose an individual’s Protected Health Information (PHI). HIPAA provides many pathways for permissibly exchanging PHI, which are commonly referred to as HIPAA Permitted Uses and Disclosures.
Permitted Uses and Disclosures are situations in which a CE, is permitted, but not required, to use and disclose PHI, without first having to obtain a written authorization from the patient. The circumstances for which this information may be shared, must meet specific criteria and the minimum necessary rule applies. Instances when a patient’s authorization is not required are listed in the provider’s HIPAA Notice of Privacy Practices.
In general, a CE may only use or disclose PHI if either (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information provides a written authorization. The first type of scenarios are referred to as “Permitted Uses.”
Expand the sections below to learn more about types of Permitted Uses: Health Care Operations and Treatment.
Note: The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.
Health Care Operations
Under the HIPAA Privacy Rule (45 CFR 164.501), CEs can use and disclose PHI to another CE or that CE’s Business Associate (BA) for the following health care operations activities without needing patient consent or authorization:
- Conducting quality assessment and improvement activities
- Developing clinical guidelines
- Conducting patient safety activities
- Conducting population-based activities relating to improving health or reducing health care cost
- Developing protocols
- Conducting case management and care coordination (including care planning)
- Contacting health care providers and patients with information about treatment alternatives
- Reviewing qualifications of health care professionals
- Evaluating performance of providers and/or health plans
- Conducting training programs or credentialing activities
- Supporting fraud and abuse detection and compliance programs
Before a CE can share PHI with another CE for one of the reasons noted above, the following three requirements must also be met:
- Both CEs must have or have had a relationship with the patient (can be a past or present patient).
- The PHI requested must pertain to the relationship.
- The discloser must disclose only the minimum information necessary for the health care operation at hand.
Take a look at illustrations of health care operations [PDF - 673 KB] in which PHI disclosure would be permitted. Find out more in a Health IT Buzz Blog article series by OCPO’s Lucia Savage and Aja Brooks.
Under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. (45 CFR 164.506(c)(2).) Treatment (45 CFR 164.501) is broadly defined. It includes not only what we think of as traditional treatment and diagnosis, but also making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.
The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.