ONC blog series tries to bust HIPAA information-sharing myths

The Office of the National Coordinator for Health Information Technology (ONC) is trying to shake the Health Insurance Portability and Accountability Act’s (HIPAA’s) (P.L. 104-91) image as a roadblock to information-sharing. In a four-part blog series, Chief Privacy Officer Lucia Savage, J.D., and Privacy Analyst Aja Brooks, J.D. described HIPAA’s promotion of interoperability through permitted uses and disclosures that do not require covered entities (CEs) to first obtain written authorization from the patient.  The posts provided real-life examples of permitted uses and disclosure involved in exchanges for both treatment and health care operations.


If an individual authorizes a release of protected health information (PHI) in writing, including when she requests that the PHI be sent directly to a third party, a CE or business associate (BA) must generally comply.  However, CEs and BAs are often uncomfortable releasing PHI when such authorization has not been given.  The blogs emphasize that HIPAA provides for the release of PHI for treatment and health care operations of either the disclosing CE or the recipient CE (45 CFR 164.506(c)). Treatment is defined pursuant to 45 C.F.R. 164.501 and includes, in addition to traditional treatment, referrals, coordination of health care services with a third party, and consultation between providers. A disclosing provider is responsible for disclosing the information in a  permitted and secure manner, such as via certified electronic health record technology (CEHRT), but will not be liable for any actions that the recipient takes with that information.

Health care operations

Covered entities may also disclose information to other CEs or their respective BAs without authorization in certain circumstances related to health care operations, including those involving case management and quality assessment and improvement.  In all instances, both CEs involved in the exchange must have an existing or previous relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing CE must release only the minimum necessary information.  For example, a physician may disclose minimum necessary PHI related to diabetic and pre-diabetic patients to a health management company that is a BA of a health plan (CE) so that the health management company can, at the health plan’s request, provide semi-monthly nutritional advice to members. The ONC also indicated that providers who are part of an accountable care organization (ACO) and operate as an organized health care arrangement (OHCA) may provide PHI to the ACO’s quality committee for quality assessment purposes if, for example, the ACO is looking to improve its rate of hospital-acquired infections.  Similarly, a provider may provide PHI about a current patient to the patient’s former provider if the former provider needs that information for quality assessment.

HIPAA: a tool for sharing?

The blog authors explained that HIPAA is not only a tool to protect PHI, but can be used to enable access to that same information when necessary for patient care. They hoped that the posts “shed some light on how HIPAA supports the goal of nationwide, interoperable exchange of health information for patient care and health.”  Perhaps wary providers will take note.