Guidance Offered on Data Disclosures During PandemicAgency Clarifies Sharing Records for Public Health Purposes as Permitted Under HIPAA
The agency that enforces HIPAA has issued guidance to clarify how covered entities and business associates are permitted to make patient record disclosures for public health purposes to health information exchange organizations during the COVID-19 pandemic.
The Department of Health and Human Services’ Office for Civil Rights said its new guidance gives examples of how organizations may disclose protected health information without patient authorization to an HIE for reporting to a public health authority.
But as a matter of routine, covered entities’ notice of privacy practices must reveal that PHI may be shared for public health purposes if the need arises.
HHS says a public health authority is “an agency or authority of the U.S., a state, a territory … or a person or entity acting under a grant of authority from or contract with such public agency … that is responsible for public health matters as part of its official mandate.”
OCR is issuing the guidance to “highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency," said Roger Severino, OCR director.
The guidance clarifies that the HIPAA Privacy Rule permits covered entities or their business associates to disclose PHI to an HIE organization, which can, in turn, transmit the PHI to a public health authority.
“Where a state law requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department, the covered hospital would not violate the HIPAA Privacy Rule when it transmits the data to an HIE for that purpose,” the guidance notes.
Clearing Up Misunderstandings
Sizing up the guidance, regulatory attorney Helen Oscislawski of the law firm Attorneys at Oscislawski notes: “A chunk of the guidance merely rehashes the [HIPAA] public health exception and how the privacy rule has set that up.
Under the public health exception, covered entities are permitted to disclose PHI, without patient’s prior authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury or disability.
OCR in its guidance also points out that the HIPAA Privacy Rule does not permit covered entities to disclose PHI to private organizations for a public health reason, absent a relationship between the private organization and a government public health authority or other underlying legal authority, she says.
Privacy attorney Iliana Peters of the law firm Polsinelli notes: “Only the HIPAA covered entity can make the decision with regard to what PHI is disclosed to a public health authority.”
When a public health authority requests records from a covered entity, the request should only involve “the minimum necessary information” needed for the public health authority’s stated public health purpose, she points out.