Disclosures of PHI to Health Information Exchanges under HIPAA: OCR Issues Guidance

The Department of Health and Human Services’ Office for Civil Rights has released new information in relation to the Health Insurance Portability and Accountability Act (HIPAA) Rules governing the sharing of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is classified as a group that allows the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare suppliers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare processes, for public health reporting to PHAs, and for carrying out other functions and services such as patient record location and data aggregation and review.

HIPAA supports the implementation of HIEs and the sharing of health data to enhance public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule allows HIPAA-covered bodies and their business associates to send protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual permission.

Such sharing is allowed in following circumstances:

  • When sharing is required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is operating under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and would like to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only allows an HIE which is a business associate of the covered entity or another business associate to share ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier in 2020 in response to the COVID-19 public health emergency, OCR released a notice of enforcement discretion stating no measures will be taken against a business associate for good faith sharing of ePHI to a PHA for public health purposes if they are not expressly allowed to share ePHI to a PHA in their BAA. In such cases, the business associate must advise the covered entity in less than 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for as long as the COVID-19 public health emergency persists. When the Secretary of the HHS declares the COVID-19 public health emergency over, such sharing will no longer be permitted unless expressly permitted in the BAA.

Sharing of ePHI by an HIE to a PHA should be kept to the minimum necessary information to achieve the aim of the disclosure. A covered entity can rely on a PHA’s request to share a summary record to the PHA or HIE as being the smallest amount of PHI possible to achieve the public health purpose of the disclosure.

A covered entity is allowed by the HIPAA Privacy Rule to share ePHI to a PHA through an HIE, even if a direct request for the PHI is not submitted by the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting for the PHA.

While the above sharing of ePHI for public healthcare reasons do not require authorizations to be obtained from the individuals whose PHI is being shared, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will take place for public health reasons in the group’s Notice of Privacy Practices.

You can review the OCR document on the HHS website, which can be accessed on this link (PDF).