Confusion about the Health Insurance Portability and Accountability Act (HIPAA) often prevents physicians from sharing electronic protected health information (PHI) without a patient’s authorization. Experts at the Office of the National Coordinator for Health Information Technology (ONC), however, say this is a common misconception and are seeking to provide clarification to both patients and physicians.
ONC recently published a four-part series of blog posts on permitted uses and disclosures of PHI under HIPAA. The series provides reference materials and offers clarification to physicians and patients on when they can use and disclose PHI without patient authorization.
HIPAA promotes interoperability
“What many people don’t realize is that HIPAA not only protects personal health information from misuse,” one post said, “but also enables PHI to be accessed, used or disclosed interoperably, when and where it is needed for patient care.” The experts note that HIPAA gives health care professionals permission to share PHI for patient care, quality improvement, population health and more.
“HIPAA provides many pathways for permissibly exchanging PHI,” the authors said. Working with the Office for Civil Rights (OCR), the ONC has developed two fact sheets incorporating practical, real-life scenarios that demonstrate how HIPAA supports interoperability:
- “Permitted uses and disclosures: Exchange for treatment”
- “Permitted uses and disclosures: Exchange for health care operations”
Permitted disclosure of PHI
The first fact sheet states that under HIPAA, physicians may disclose PHI (whether orally, on paper, by fax or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization. HIPAA broadly defines “treatment” as the provision, coordination or management of health care and related services by one or more providers. This includes the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for care from one provider to another.
According to the second fact sheet, physicians and other covered entities must meet three requirements to share PHI for purposes of health care operations:
- Both covered entities must have or have had a relationship with the patient
- The PHI requested must pertain to the relationship
- The discloser must disclose only the minimum information necessary for the health care operation at hand
If those criteria are met, a covered entity can disclose PHI to another covered entity or business associate for the following health care operations activities without patient consent or authorization:
- Conducting quality assessment and improvement activities
- Developing clinical guidelines
- Conducting patient safety activities as defined in applicable regulations
- Conducting population-based activities relating to improving health or reducing health care cost
- Developing protocols
- Conducting case management and care coordination (including care planning)
- Contacting health care providers and patients with information about treatment alternatives
- Reviewing qualifications of health care professionals
- Evaluating performance of health care providers and/or health plans
- Conducting training programs or credentialing activities
- Supporting fraud and abuse detection and compliance programs
Watch AMA Wire® in the coming weeks for a closer look into some of these circumstances and how you can take advantage of HIPAA’s capacity for interoperability and data sharing.