Now that you know the Health Insurance Portability and Accountability Act (HIPAA) allows data sharing without patient authorization for certain health care operations activities, take a closer look at the range of situations in which your practice can use technology to obtain and share patient information. Test your HIPAA knowledge in three data sharing situations and determine whether or not they are HIPAA-compliant.
Experts at the Office of the National Coordinator for Health IT (ONC) recently published a series of blog posts on permitted uses and disclosures of protected health information (PHI) under HIPAA. The series provides reference materials and offers clarification to physicians and patients on when they can use and disclose PHI.
The blog posts offer several examples of when physicians or hospitals can disclose PHI without patient authorization. Here are three data sharing situations to test your HIPAA knowledge:
Sharing data for care coordination
The situation: You work in a hospital. As you prepare to discharge a patient who will need ongoing rehabilitation, you also need to find a rehabilitation facility that provides the type of care this specific patient needs.
In order to find out which rehabilitation facility will accept this patient, you will need to share PHI about the patient with each facility. Can you release this PHI to these facilities to find the best place for your patient to continue care?
The answer: Yes, your hospital may use certified electronic health record (EHR) technology to disclose the relevant PHI to the rehabilitation facilities without obtaining the patient’s written authorization as long as the disclosure is done in a manner that complies with the HIPAA Security Rule.
This is a treatment disclosure made in anticipation of future treatment by one of the prospective rehabilitation facilities and is allowed under HIPAA.
A concern: If you disclose this information to the rehabilitation facilities, will your hospital be held responsible for what they do with that information after the fact?
No. Under HIPAA, your hospital is responsible only for complying with HIPAA when you disclose the information. After the rehabilitation facilities have received the PHI, they, as covered entities, are responsible for safeguarding that PHI.
Sharing data for quality assessment and improvement
The situation: You are conducting a quality review and need to know the health outcome of a patient that you treated but are no longer in contact with. Does HIPAA allow you to query a health information exchange (HIE) for the relevant information about that patient?
The answer: Yes, you can query an HIE or even ask the patient’s new physician directly (if you know who it is) without obtaining the patient’s written permission because this qualifies as a quality assessment activity.
The other side: If you are the physician responding to this query, you may use certified EHR technology to send the PHI directly to the requesting physician or to the HIE.
Other hospitals that have treated or are treating this patient also may use certified EHR technology to share relevant PHI to determine the cause or source of an infection if one has occurred. This determination may aid in preventing infections for future patients as long as the information is shared in compliance with HIPAA.
Sharing data for care planning
The situation: When you discharge patients from your hospital, you want to make sure they have a comprehensive care plan after they leave. You hire a care planning company to develop these plans for your patients on your behalf. The care planning company requests relevant PHI about each patient from your hospital and the patient’s other health care providers. Does HIPAA allow your hospital and the other providers to disclose this information to the care planning company?
The answer: Yes, your hospital and each of the other providers may disclose relevant PHI for purposes of care planning without obtaining written authorization from the patients using certified EHR technology as long that the sharing is done in compliance with HIPAA.
A precaution: In a situation such as this, your hospital should enter into a business associate agreement with the care planning company. All of the other health care providers may share PHI with the care planning company as if they are sharing it with your hospital. They are not required to execute a business associate agreement.
Once the others have shared patients’ PHI with the care planning company in compliance with HIPAA, they are no longer responsible for what the care planning company does with that PHI.
ONC's health blog provides a more detailed look into data sharing under HIPAA.