Late last week, HHS’s Office for Civil Rights (OCR) and Office of the National Coordinator for Health IT (ONC) issued two Fact Sheets (or guidance documents) intended to assist regulated industry in Understanding Some of HIPAA’s Permitted Uses and Disclosures of protected health information (PHI):
- Permitted Uses and Disclosures: Exchange for Health Care Operations, 45 Code of Federal Regulations (CFR) 164.506(c)(4) (dated January 2016, released Feb. 12, 2016) (HCO Fact Sheet); and
- Permitted Uses and Disclosures: Exchange for Treatment, 45 Code of Federal Regulations (CFR) 164.506(c)(2) (dated January 2016, released Feb. 12, 2016) (Treatment Fact Sheet).
As a general matter, OCR and ONC recognize that, although the HIPAA regulations have been in effect for years, many health care providers (i.e., Covered Entities (CE)) remain confused about the permissibility of sharing PHI for routine purposes like treatment or care coordination. That confusion presents obstacles to the exchange of digital health information and industry’s utilization of Certified Electronic Health Record Technology (CEHRT).
The HCO Fact Sheet clarifies that a CE can disclose PHI to another CE (or a contractor (i.e., business associate (BA)) working for that CE), for activities that fall within HIPAA’s definition of HCO. It illustrates how HIPAA supports the sharing of PHI by providers to, for instance: enable case management by a health plan; engage in quality assessment and/or quality improvement; and population health activities. The Treatment Fact Sheet explains how HIPAA supports the sharing of PHI between and among providers in order to treat and/or coordinate care for CE patients. Both fact sheets also provide information on what health care providers should do to help assure that sharing PHI for either treatment or operations is in compliance with the HIPAA Privacy and Security Rules.
These Fact Sheets focus on scenarios that generally would not implicate other exceptions to the patient authorization requirement, such as face-to-face communications and “refill reminders” (exception to the definition of “marketing”). It is worth noting, however, that since its January 2013 omnibus final rulemaking under the HITECH Act, OCR has observed that “the lines between a marketing communication and a communication for a treatment or health care purpose unavoidably overlap, as a necessary part of providing treatment and health care services and benefits is to encourage or advise individuals to purchase or use certain health-related products or services.” Refill Reminder Guidance, Background (Sept. 19, 2013).
Importantly, HHS repeatedly makes clear that the disclosing CE (or BA) is not responsible for any impermissible use or disclosure of the PHI by the receiving CE (or its BA). Assuming that the initial disclosure to the recipient was allowed, and that the disclosing party otherwise complied with HIPAA in making the disclosure, it is not liable for subsequent misuse, improper disclosure, breaches, or the like. Of course, the disclosing party is responsible for disclosing the PHI to the recipient for a permitted reason, in a permissible and secure manner and, taking reasonable steps to ensure delivery to the correct party (e.g., sending it to the right address). See, e.g., Treatment Fact Sheet at 1-2.
HCO Fact Sheet
HHS clarifies that the Privacy Rule permits the disclosure of PHI by a CE to another CE (or that CE’s BA), without patient authorization, for the following subset of HCO activities of the recipient CE:
- Conducting quality assessment and improvement activities;
- Developing clinical guidelines;
- Conducting patient safety activities as defined in applicable regulations;
- Conducting population-based activities relating to improving health or reducing health care cost;
- Developing protocols;
- Conducting case management and care coordination (including care planning);
- Contacting health care providers and patients with information about treatment alternatives;
- Reviewing qualifications of health care professionals;
- Evaluating performance of health care providers and/or health plans;
- Conducting training programs or credentialing activities; or
- Supporting fraud and abuse detection and compliance programs.
HCO Fact Sheet at 1.
Prior to any disclosure, however, both CEs must have or have had a relationship with the patient (past or present patient), the relevant PHI must pertain to the relationship, and only the minimum necessary amount of PHI can be disclosed for the particular HCO at hand. With respect to the minimum necessary amount of PHI required, HHS provides the following very general and relatively loose guidance with an example: “in sharing information with an individual’s health plan for population health programs (for example, a diabetes management program), a provider should disclose the PHI that is necessary for the program to be effective.” Id. (emphasis added). Based on the general nature of its guidance, it appears that the agencies are largely (and appropriately it seems) deferring to practitioners to determine how their programs are most effective.
HHS provides a further example of permissible disclosure for a CE’s HCO, whereby a health plan employs a health care management and planning company to provide periodic nutritional advice to its diabetic and pre-diabetic members. The care planning company is a BA of the health plan and, as such (assuming permissible under the applicable Business Associate Agreement (BAA)), it collects PHI from members’ other treatment providers. The other CE providers may disclose PHI to the plan’s BA “necessary to achieve the case management purpose for which the nutritional coach was hired by the health plan” because these are HCOs; specifically, “population-based activities relating to improving health or reducing costs” and “case management.”). HCO Fact Sheet at 2. (HHS further notes that a BAA is not required between the plan’s BA and the other CEs. See id.)
HHS goes on to provide additional examples of permissible uses and disclosures of PHI for HCOs concerning an Accountable Care Organization’s (ACO) Quality Committee as well as a Quality Assessment Using a Health Information Exchange (HIE) and Quality Improvement Among Several CEs for Population Health. See HCO Fact Sheet at 3-4.
Specifically, HHS makes clear that an ACO, comprising multiple providers acting as an Organized Health Care Arrangement (OHCA), may allow its quality committee to access the PHI of the multiple providers in order to undertake a quality assessment using CEHRT. The committee could review treatment and health outcomes, for example, of ACO patients who experienced hospital-acquire infections or surgical errors for the “quality assessment and improvement purposes of the ACO/OHCA.” Id. at 3. Where the ACO was not operating as an OHCA, the committee would only be allowed to access PHI of those individual providers for whom the providers share patients – or an individual provider’s PHI for assessment of that provider in isolation.
Similarly, HHS recognizes that unaffiliated hospitals in the same community often see the same patients and may not be able to discern the source of a patient’s hospital-acquired infection. All hospitals that have treated or are treating the patient may use CEHRT or an HIE to share relevant PHI to determine the source of the infection, in an effort to prevent future infections. HHS deems this to be population health activity – an HCO. Id. at 4.
The core principle in all of the above scenarios is, as always under HIPAA, the minimum necessary requirement.
Treatment Fact Sheet
The Treatment Fact Sheet focuses on the use and disclosure of PHI by or between health care provider CEs for the coordination of patient care. HHS reinforces that:
“[t]reatment is broadly defined as the provision, coordination, or management of health care and related services by one or more providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for care from one provider to another.”
Treatment Fact Sheet at 1 (citing 45 C.F.R. § 164.501) (emphasis added).
HHS goes on to provide an example of permissible disclosure of PHI for a CE’s treatment purposes where a provider seeks to ensure that discharged patients obtain a “comprehensive care plan for the immediate post-acute period.” Treatment Fact Sheet at 2. The provider hires a care planning company as its BA. After signing a BAA, the care planning company develops comprehensive, post-acute care plans for the CE’s patients. For this treatment purpose, the BA may permissibly obtain PHI from the patients’ other providers. See id. (This scenario mirrors the HCO Fact Sheet example whereby a health plan employs a health care management company to provide periodic nutritional advice to its diabetic and pre-diabetic members. This demonstrates that permissible uses and disclosures that qualify as treatment and HCO can, and often do, overlap.)
HHS provides a further example of permissible disclosure of PHI for treatment by “downstream” CE health care providers: an inpatient facility may legally disclose PHI to a prospective (i.e., potentially suitable) rehabilitation facility that may be in a position to treat the patient. The disclosure in this case is for the rehabilitation facility to evaluate whether it can provide appropriate care. Id. at 3. As with all covered functions under HIPAA, a BA could assist either or both the inpatient or rehabilitation facility with the disclosure, receipt, and handling of the PHI.
* * * * *
After a significant quiet spell, we definitely are beginning to see more and more HIPAA guidance from HHS/OCR. We anticipate additional releases in the coming months, potentially addressing the minimum necessary standard and related issues. So stay tuned.