Trio of New Guidance Documents From HHS Marks New Attention to HIPAA & e-PHI

February 15, 2016 David Holtzman

HHS Releases New Guidance on Releasing PHI to Health Information Exchanges & CMS Extends Deadline for Filing 2015 Meaningful Use Attestation

The Department of Health and Human Services (HHS) released new regulatory guidance in the form of facts sheets designed to demonstrate how the HIPAA Privacy Rule permits the sharing of Protected Health Information (PHI) in Health Information Exchange (HIE). Separately, the department’s Office for Civil Rights (OCR) opened a new front on its efforts to promote health information privacy and security through helping healthcare industry stakeholders with advisory materials to educate developers of software applications that handle sensitive consumer information popular and how the HIPAA Rules might apply to scenarios in which they are used.

Authored jointly by the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health IT (ONC), the fact sheets translate the use and disclosure provisions of the HIPAA Privacy Rule allow PHI to be disclosed through HIE for purposes of a covered entity’s treatment or health care operations.   

The guidance documents do not break any new ground. The provisions of the Privacy Rule permitting covered entities or their business associates to disclose PHI for purposes of treatment, payment or health care operations (referred to as “TPO”) without first seeking the authorization of the patient or their personal representative have been in place since the adoption of the final rule in 2002. The guidance is designed to provide assurance through a series of use case examples that the disclosures or “sharing” for TPO can take place through the HIE.

For example, the Privacy Rule applies a broad based approach to the disclosure of PHI for purposes of health care treatment in which the principles of minimum necessary do not come into consideration so long as the provider receiving the patient’s information is directly or indirectly involved in the treatment for the patient. For disclosures for health care operations, the guidance provides examples of how PHI can be used or disclosed for a number of purposes like conducting quality assessment and improvement activities, developing clinical guidelines, or conducting some patient safety activities. 

However, the Privacy Rule sets certain conditions in order for PHI to be disclosed without patient authorization. First, both covered entities must have a relationship with the patient. Second, the PHI must pertain to that relationship. And, only the minimum information necessary to accomplish the purpose for which the data is required can be disclosed. 

Rounding out the trio of new releases, OCR posted new guidance on its “mHealth Developer Portal to provide scenarios where the HIPAA Privacy and Security standards might apply to mobile health applications. OCR developed the guidance to present through a series of use case scenarios that are meant to help developers determine how federal regulations might apply to products they are building. Another goal is to reduce some of the uncertainty that some stake holders cite as a barrier to innovation. 

On an unrelated note, CMS has quietly extended the deadline for hospitals and eligible providers filing the attestation for the 2015 Medicare and Medicaid Meaningful Use program year. The new deadline for filing the attestation on the CMS EHR Incentive Attestation Portal is March 11, 2016.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
2016 Healthcare Privacy & Security Outlook
2016 Healthcare Privacy & Security Outlook

An infographic showcasing what we predict will come to the forefront of the industry this year, including m...

Next Content
2016 Breach Report
2016 Breach Report

The 7th Annual Breach Report examines breaches of PHI that occurred throughout 2016, the current state of c...