Click below to read the HIPAA Privacy Rule Guidance for HIEs:
OCR released significant HIPAA Privacy Rule guidance to clarify how the Rule permits covered entities and business associates to use HIEs to disclose PHI for the public health activities of a public health authority.
HHS Office for Civil Rights (OCR) released the HIPAA Privacy Rule Guidance on using HIEs to disclose PHI for public health activities. They announced (here) that the OCR will not impose penalties for HIPAA violations during COVID.
This guidance highlights how HIPAA supports the use of health information exchanges (HIEs) in sharing health data to improve the public's health, particularly during COVID-19. The guidance provides relevant examples on how HIPAA allows covered entities and their business associates to disclose Patient Health Information (PHI) to an HIE for reporting to a Public Health Agency (PHA). These questions are answered in the FAQ:
• What is an HIE?
• When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual's authorization?
• Can a covered entity rely on a PHA's request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
• May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
• May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
• Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?
Read more on the OCR's website here.