Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued guidance on how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered entities and their business associates to use health information exchanges (HIEs) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).
The guidance provides examples relevant to the COVID-19 public health emergency on how HIPAA permits covered entities and their business associates to disclose PHI to an HIE for reporting to a PHA that is engaged in public health activities. The guidance answers these questions:
- What is an HIE?
- When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual’s authorization?
- Can a covered entity rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
- May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
- May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
- Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?
“OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency,” said OCR Director Roger Severino.
The Guidance on HIPAA, Health Information Exchanges, and Disclosures for Public Health Purposes may be found at: https://www.hhs.gov/sites/default/files/hie-faqs.pdf.