Confusion about the Health Insurance Portability and Accountability Act (HIPAA) often prevents physicians from sharing electronic protected health information (PHI) without a patient’s authorization. Experts at the Office of the National Coordinator for Health Information Technology (ONC), however, say this is a common misconception and are seeking to provide clarification to both patients and physicians.
ONC recently published a four-part series of blog posts on permitted uses and disclosures of PHI under HIPAA. The series provides reference materials and offers clarification to physicians and patients on when they can use and disclose PHI without patient authorization.
HIPAA promotes interoperability“What many people don’t realize is that HIPAA not only protects personal health information from misuse,” one post said, “but also enables PHI to be accessed, used or disclosed interoperably, when and where it is needed for patient care.” The experts note that HIPAA gives health care professionals permission to share PHI for patient care, quality improvement, population health and more.
“HIPAA provides many pathways for permissibly exchanging PHI,” the authors said. Working with the Office for Civil Rights (OCR), the ONC has developed two fact sheets incorporating practical, real-life scenarios that demonstrate how HIPAA supports interoperability:
The first fact sheet states that under HIPAA, physicians may disclose PHI (whether orally, on paper, by fax or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization. HIPAA broadly defines “treatment” as the provision, coordination or management of health care and related services by one or more providers. This includes the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for care from one provider to another.
According to the second fact sheet, physicians and other covered entities must meet three requirements to share PHI for purposes of health care operations:
If those criteria are met, a covered entity can disclose PHI to another covered entity or business associate for the following health care operations activities without patient consent or authorization:
Watch AMA Wire® in the coming weeks for a closer look into some of these circumstances and how you can take advantage of HIPAA’s capacity for interoperability and data sharing.