This guidance addresses how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits a covered entity or its business associate to use health information exchanges (HIEs) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).
1. What is a Health Information Exchange (HIE)?
For purposes of this guidance, an HIE is an organization that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities, such as health care providers, health plans, and business associates, for treatment, payment, or health care operations (TPO) purposes. An HIE also may provide other functions and services to its participants (e.g., covered entities, business associates), such as public health reporting to PHAs, patient record location, and data
aggregation and analysis. Some examples of HIEs include nationwide and state-wide health information exchanges, regional health information organizations (RHIOs), and some clinical data registries.
2. When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual’s authorization?
The Privacy Rule permits covered entities or their business associates to disclose PHI to an HIE for the HIE to report PHI to a PHA conducting public health activities, in any of the following circumstances:
When the disclosure is required by law. A covered entity or business associate may disclose PHI to an HIE for public health reporting purposes in accordance with another law (e.g., a mandate contained in federal, state, local, or other law that is enforceable in court) requiring such disclosure.
When an HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA for public health purposes. A covered entity, or a business associate on the covered entity’s behalf, may disclose PHI to an HIE that is its business associate in order to transmit PHI to a PHA for the PHA’s public health activities. A covered entity or business associate (for or on behalf of a covered entity) may engage an HIE as a business associate to create, receive, maintain, or transmit PHI on the covered entity’s behalf for a HIPAA covered function (e.g., for treatment or any other permitted purpose, including public health uses and disclosures).
An HIE acting as such a business associate may disclose PHI to a PHA when the terms of the Business Associate Agreement (BAA) expressly permit or require the HIE to disclose PHI to a PHA on behalf of a covered entity, directly or through another business associate.
When an HIE is acting under a grant of authority or contract with a PHA for a public health activity. A covered entity, or a business associate acting on the covered entity’s behalf (e.g., the covered entity’s HIE), may disclose PHI to an HIE that is acting under a grant of authority from, or contract with, a PHA authorized by law to collect or receive such information for public health activities.
Except for disclosures required by law, which must be limited to the relevant requirements of such law, a covered entity generally must make reasonable efforts to limit the PHI disclosed to PHAs to the minimum necessary to accomplish the intended purpose of a public health disclosure. However, a covered entity may rely, if such reliance is reasonable under the circumstances, on a PHA’s representations that the PHI it is requesting is the minimum necessary to accomplish the public health purpose of the request.
3. Can a covered entity rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
Yes. When a PHA requests a summary record or other specified data set, the covered entity may rely, if such reliance is reasonable under the circumstances, on the request being the minimum necessary information the PHA needs for its stated public health purpose if the PHA so represents. In such cases, the Privacy Rule does not require a covered entity to make an independent determination of minimum necessary when responding to a request from a PHA for the PHA’s public health activities.
4. May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA? Yes. The Privacy Rule permits a covered entity to disclose PHI through an HIE to a PHA for public health activities, and this permission does not require that the covered entity receive a direct request for PHI from the PHA if the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA. For example, a city health department (a
PHA) that is authorized by law to obtain COVID-19 related test results, and to track the overall health of the individuals tested over time, may contract with, or grant authority to, a regional HIE to receive summary records about individuals tested for the virus from local health care providers. A covered health care provider, acting on its knowledge that the city health department is using the HIE to track COVID-19, may transmit summary records containing PHI for all tested individuals to the HIE for reporting to the city health department, and this disclosure would not violate the minimum necessary standard.
5. May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity? Yes, during the COVID-19 public health emergency, 29 OCR will not impose penalties on a business associate HIE for violations of certain provisions of the Privacy Rule if the HIE transmits PHI it receives as a covered entity’s business associate to a PHA for the PHA’s public health activities, regardless of whether the HIE’s BAA with the health care provider permits such disclosure or the provider otherwise authorizes the disclosure.
6. Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?
Yes, a covered entity is required to provide individuals with notice that it discloses PHI for public health purposes in the covered entity’s Notice of Privacy Practices (NPP). The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which would include public health purposes, for which the covered entity may use or disclose PHI without an individual’s authorization. As such, individuals receive advance notice that their PHI may be used or disclosed for public health purposes when they receive a copy of an NPP, or when they review the covered entity’s NPP on its website.
In addition, because the Privacy Rule does not require a covered entity to make disclosures for public health purposes, a covered entity may choose to honor an individual’s request to not disclose PHI about the individual to a PHA, provided that other law does not require the disclosure. The Privacy Rule does not require a business associate, such as an HIE that is a business associate, to provide individuals with a NPP. However, when individuals request an accounting of disclosures of their PHI, the Privacy Rule requires a covered entity to include an accounting of disclosures (e.g., to a PHA, to the covered entity’s business associate) made for public health purposes.
In addition, a business associate is directly liable, in certain circumstances, for a failure to provide an accounting of its own disclosures, which would include disclosures of PHI for public health purposes.
Download the full disclosure below or https://www.hhs.gov/sites/default/files/hie-faqs.pdf