The COVID-19 pandemic has triggered changes in HIPAA guidance related to how health information exchanges (HIEs) can disclose protected health information (PHI) to a public health authority (PHA).
On December 18, 2020, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued new guidance on how HIPAA permits covered entities and their business associates to use HIEs to disclose PHI. “OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency,” OCR Director Roger Severino said in a press release.
A covered entity or business associate may disclose PHI to an HIE for public health reporting purposes in accordance with another law requiring such disclosure, such as a mandate contained in federal, state, local, or other law that is enforceable in court. An example cited by OCR is a state law that requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department. In such cases, the covered hospital would not violate the Privacy Rule when data are transmitted to an HIE.
Under the new guidance, OCR will exercise its enforcement discretion and not impose penalties on a business associate HIE for disclosing PHI to a PHA during the COVID-19 public health emergency when its business associate agreement do not authorize the disclosure. For example, a covered laboratory may report patient test results through an HIE that receives and transmits the PHI to a PHA when the HIE is performing this data transmission on behalf of the laboratory as the laboratory’s business associate.
“This does send a new message,” said Deb Marko Koeberer, privacy manager for compliance and privacy at University Hospitals of Cleveland, Ohio. “I have had conversations with [OCR]; they want us to continue to care for the needs of the patients, and so taking this action only reinforces this.”
During the COVID-19 public health emergency, an HIE may transmit patient test results it receives in the HIE’s role as a covered healthcare provider’s business associate in response to a PHA’s request, regardless of whether the HIE’s business associate agreement with the provider permits such disclosure. The Privacy Rule permits a covered entity to disclose PHI through an HIE to a PHA for public health activities, and this permission does not require that the covered entity receive a direct request for PHI from the PHA, if the covered entity knows that the PHA is using the HIE to collect such information or that the HIE is acting on behalf of the PHA.
For example, a city health department that is authorized by law to obtain COVID-related test results and track the overall health of individuals tested over time may contract with, or grant authority to, a regional HIE to receive summary records about individuals tested for the virus from local health care providers.
“They are issuing more guidance that clarifies information that is hard to understand,” Koeberer said.
The updated guidance during the pandemic states that an HIE that is a business associate relationship with a covered entity will not be subject to HIPAA penalties if the HIE transmits summary records about individuals diagnosed with COVID-19 to a city health department that is collecting the information to track COVID-19. This holds true regardless of whether that public health disclosure is permitted by the HIE’s business associate agreements with the covered healthcare provider, as long as it notifies the covered entity within 10 days after it first transmitted such information to the city health department.
Lenny Sanchez, director of patient privacy at UW Medicine at UW Medicine Compliance in Seattle, Washington, said for public health reporting OCR generally defers to the unique mandatory reporting requirements under state and local law. If a city health department requires data for a legitimate public health inquiry they are authorized by law to pursue, the HIPAA Privacy Rule would permit the disclosure.
“Here, OCR’s enforcement discretion simply allows business associates or HIEs to carry out this reporting on behalf of the HIPAA covered entity without the usual contractual terms that would be spelled out in a memorandum of understanding or business associate agreement,” Sanchez said.
Due to more virulent strains spreading in various cities, Sanchez said these new HIPAA changes may be even more important because quick reporting to health departments can save lives. “Having worked in privacy compliance for the duration of the pandemic, it has been incredibly helpful to reduce any type of red tape to get information where it’s needed. HIPAA and other privacy laws weren’t necessarily drafted with the challenges of a global pandemic at the forefront,” Sanchez said.
This past year has brought about myriad of medical and public health challenges, and Sanchez said it was reassuring to know that the major enforcement agency involving HIPAA understood the practical reality of the situation. “I can’t speak directly on behalf of our providers or lab medicine professionals, but I feel comfortable saying that getting data to public health authorities has been of paramount concern with our organization when I reviewed privacy compliance issues that came my way. Any flexibility afforded by HHS has been greatly appreciated,” Sanchez said.
Margaret Foster Riley, a professor of law and a professor of public health sciences at the University of Virginia in Charlottesville, said healthcare providers are understandably wary of the potential for HIPAA breaches because each breach can incur significant penalties and obligations. HIPAA actually already had exceptions for public health purposes, but some of these have been ambiguous. Consequently, providers may tend to be risk averse and release insufficient for public health purposes data, Riley said. “For example, one constraint on all HIPAA exceptions is that the covered entity release the ‘minimal amount necessary,’ but by being conservative in that assessment a provider might actually hamper the public health mission requiring COVID data,” Riley said.
OCR Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes [news release]. HHS; December 18, 2020.