The OCR Has Released New Guidance on the Disclosing of Protected Health Information

Back on December 18, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), released new guidance on how the Health Insurance Portability and Accountability Act (HIPAA) permits covered entities and their business associates to use health information exchanges (HIEs) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).

The guidance provides specific examples relevant to the COVID-19 public health emergency on how HIPAA allows covered entities and their business associates to disclose PHI to an HIE for reporting to a PHA that is engaged in public health activities. The goal of these new updates is to help improve the public's health during the pandemic.

First, it should be noted that per HIPAA Final Rule Preamble, individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed.

Second, we should note that if there’s one thing we know when it comes to patient privacy, not every piece of guidance or new regulation is cut and dry. What the guidance does, however, aim to do is answer a number of questions that have been raised during this national public health emergency, including:

• • What is a health information exchange?
  • When does the HIPAA Privacy Rule permit a covered entity to disclose PHI for the purposes of reporting the PHI to a PHA, without an individual's authorization?
  • Can a covered entity rely on a PHA's request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
  • May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?

Because we know staying on top of all the latest guidance and regulatory update can be a herculean effort, on Wednesday, March 3, we’ll be hosting a new webinar, “Sharing PHI During a Public Health Emergency: What You Should Know,” where we’ll dive deep into the new guidance while also covering some tried-and-true best practices for protecting patient health information to help clear up any questions you may have.

Just for attending the live presentation, we’ll be giving away 1.2 HCCA CEUs. Hope to see you there!