OCR Clarifies Permitted Uses and Disclosures of PHI

The Office for Civil Rights encourages suggestions from HIPAA-covered bodies about aspects of HIPAA that are unclear or need further clarification. Some of the inquiries submitted via the OCR website indicate some covered bodies are struggling to comprehend the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI).

HIPAA allows the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be utilized to help patients receive medical treatment, as well as for the evaluation of care provided to patients. It is necessary to use PHI to optimize care between different healthcare providers, and PHI is required for billing purposes. Patients must also be permitted access to their health information so they can take a more active role in their own healthcare. HIPAA permits patient health data to be shared for all of these reasons once PHI is secured at all times. However, a number of restrictions are in place.

Even though the HIPAA Privacy and Security Rules have been in operation for many years, and the Health Insurance Portability and Accountability Act was passed into law two decades ago, some covered bodies are still uncertain about when PHI can be shared, for what purposes, and about the individuals and organizations that have permission to access to health data.

The U.S. Department of Health and Human Services’ Office for Civil Rights and Office of the National Coordinator for Health IT (ONC) have been working on and developing a number of new fact sheets to clear up confusion in relation to HIPAA.

This month, two fact sheets have been released which explain some of the permitted uses and disclosures under HIPAA, including when PHI can be shared by covered bodies without authorization from patients being obtained.

The first fact sheet provides further background on some of the allowable uses of PHI for healthcare operations, including when covered bodies are allowed to share patient health information with other healthcare organizations and business partners. The definition of “healthcare operations” under HIPAA is outlined and the fact sheet provides some useful hypothetical case studies of when patient data can and cannot be shared.

The second fact sheet covers the permitted uses and disclosures in relation to the provision of treatment to patients, and explains when it is possible to share PHI with healthcare providers to co-ordinate patient care.

The fact sheets can be obtained via download from the Office for Civil Rights on the following links

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures for Health Care Operations