OCR Issues Guidance on HIPAA, HIE, and Disclosures of PHI for Public Health Purposes

The Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS) issued guidance addressing how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits a covered entity or its business associate to use health information exchanges (HIE’s) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).

OCR is issuing the guidance to highlight the fact that HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, especially during the pandemic. The guidance answers the following questions:

  • What is an HIE?
  • When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual’s authorization?
  • Can a covered entity rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
  • May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
  • May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
  • Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?

 The guidance can be accessed at: HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes (hhs.gov)

Individuals who use assistive technology may not be able to fully access all information in this file.  Those needing assistance  can contact the HHS Office for Civil Rights at (800) 368-1013, TDD toll-free (800) 537-7697, or by emailing OCRMail@hhs.gov.

Issue: 

It is likely with the start of the COVID-19 vaccinations that many questions will arise regarding HIPAA, PHI, and the Privacy Rule. All healthcare providers must understand HIPAA and how to protect PHI.  The Privacy Rule allows access to information needed to ensure high-quality healthcare and to protect the public while ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. 

Discussion Points

  • Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
  • Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually.  Document that the trainings occurred and file the signed training document in the employee’s education file.
  • Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff and that each one demonstrates understanding and competency.