Last Friday, the Office for Civil Rights (OCR) issued new Guidance on how HIPAA permits covered entities to use health information exchanges (HIEs) to disclose PHI for the public health activities of a Public Health Authority (PHA). Specifically, it provides examples relevant to the COVID-19 public health emergency. OCR Director, Roger Severino, specifically notes that the Guidance was issued:
“to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”.
Although much of the Guidance document reiterates many known controlling HIPAA Privacy Rule provisions and definitions which have always afforded a mechanism through which covered entities (CE) and their contracted business associates (BA) can share ePHI with a PHA for public health purposes, there are a few notable new take-away nuggets.
1. Defining HIEs by Information Blocking. First, although HIPAA Privacy Rule does not expressly identify a HIE as type of BA (fyi, the HITECH amendments expressly named “Health Information Organizations” as specific examples of BAs), the Guidance reaffirms that HIEs are indeed BAs and, at least for purposes of the Guidance, OCR adopts the definition of “health information exchange” found in the Information Blocking Rule. That is, an HIE would be “any organization that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities, such as health care providers, health plans, and business associates, for treatment, payment or health care operations purposes.” The Guidance also notes that an HIE may provide other functions to its contracted participants, such as public health reporting to PHAs.
2. BA Agreements must authorize public health disclosures, but for duration of the COVID public health emergency, the Notice of Enforcement Discretion allows HIE to share ePHI with PHAs without having to get permission from CE participants. OCR also reminds us that while the permissions addressed in the Guidance also apply to HIPAA BAs, BAs are still generally bound by the terms of their HIPAA Business Associate Agreements (BAAs). That is, in order for an HIE that is a BA to be permitted to share its contracted CE participants’ ePHI with a PHA, as a CE would be allowed to do under 45 CFR 164.512(b) of the Privacy Rule, the BAA in place between the BA and its CE participants would need to expressly permit or require it to do so. However, OCR recognized that that CEs might not have contemplated their need and the benefit of allowing their HIE BAs to share such ePHI during a pandemic. As a result, OCR published its Notification of Enforcement Discretion in April 2020. See my prior post on how HIEs may share ePHI directly with a public health authority during the COVID-19 public health emergency even when a BAA does not expressly authorize it. In short, thereunder, for the duration of the COVID-19 public health emergency, an HIE need not first obtain permission from its covered entity participants before sharing ePHI with a PHA for a public health purpose. Important to note here is that when the public health emergency declaration is lifted, the Enforcement Discretion will expire.
3. HIEs must be granted “authority” to collect on behalf of a PHA; private entities performing public health activities need not apply. Next, OCR includes a notable point about when an HIE may be “acting under a grant of authority or contract” with a PHA for a public health purpose, which would permit it to more freely collect and share ePHI in accordance with such authority. The HIPAA Privacy Rule does not elaborate specifically what would constitute such a “grant of authority” to act on behalf of a PHA. However, the Guidance document offers the following:
“Evidence of a grant of authority could include a written statement on appropriate government letterhead or the PHA’s official website that the HIE is acting under the PHA’s authority, or could include a contract for services, a memorandum of understanding, a purchase order, or similar documentation that establishes that the person or organization is acting on behalf of the public official.”
Importantly, OCR reminds HIEs and CE that “the Privacy Rule does not permit covered entities to disclose PHI to private organizations for public health reasons absent a nexus between the private organization and government public health authority or other underlying legal authority”. OCR points out that otherwise, CE would have no basis for determining which data collections were “legitimate” and how the confidentiality of the information would be protected. OCR has an excellent checklist to help HIEs and others confirm whether the disclosure is properly aligned with the HIPAA Privacy Rule’s exception for public health, which you can pull up here.
4. You can rely on a PHA’s assertion that the scope of data being requested is “minimum necessary,” but it must still be “reasonable.” The Privacy Rule’s exception allowing for disclosures of ePHI for public health purposes still requires that HIPAA’s minimum necessary standard is followed. This has raised some questions about what is the permissible scope of ePHI that an HIE can disclosure to a PHA making a request. The Guidance reaffirms that an HIE can generally rely on the PHA to only ask for the “minimum necessary” amount of ePHI for the intended public health purposes – but how does an HIE know what might be “reasonable under the circumstances”? To this end, the Guidance offers the following examples of what OCR would consider to be “reasonable”:
- health care providers disclose PHI on an ongoing basis for all prior and current cases of patients exposed to COVID-19, whether suspected or confirmed, using Electronic Case Reporting (eCR), the automated generation and transmission of case reports from EHRs to public health agencies, for review and action.
- A state health department asks all health care providers in the state to report diagnoses of influenza and related patient information using an electronic continuity of care document, a type of summary record that includes patient identity, demographic information, and laboratory test results.
- A local PHA requests that covered health care providers participating in a regional HIE submit summary records with the CCDS or USCDI, such as a Consolidated Clinical Document Architecture Release 2.1 (C-CDA) document, for all patients with COVID-19, using a public health reporting app.
5. OCR says that HIEs need to track such disclosures to PHA and be able to produce and Accounting of Disclosures. Future Rulemaking? OCR reminds readers that when individuals request an accounting of disclosures of their PHI, the Privacy Rule requires a covered entity to include an accounting of disclosures (e.g., to a PHA, to the covered entity’s business associate) made for public health purposes. In addition, OCR states that a HIE BA is directly liable, in certain circumstances, for a failure to provide an accounting of its own disclosures, which would include disclosures of PHI for public health purposes. Here, interestingly, OCR goes back to cite the HITECH Act Sect. 13405(c)(3), 42 U.S.C. 17935(c)(3) which state: “A business associate included on a list under subparagraph (b) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.” However, this requirement has never been published in a final rule — BUT, OCR states that it plans to issue rulemaking on the accounting of disclosures as required by the HITECH Act section 13405(c)(2). Something to look forward to in 2021!
___________________________________
Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Info Blocking Rule, HIPAA, 42 CFR Part 2 and more.
