Rules Navigator

Register

HHS FAQs clarify health information disclosure rules

A woman filling out paperwork
Photo: adamkaz/Getty Images

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

New detail confirms that patient information under HIPAA can be shared by health providers and also reaffirms broad data access rights by patients.

In a recently published FAQ, the Department of Health and Human Services Office of Civil Rights (HHS OCR), clarified that under the HIPAA Privacy Rule covered health care providers may disclose protected health information (PHI) to value-based care organizations, which are compensated for patient health outcomes rather than volume of services provided.

The clarification emphasizes that those organizations may treat patients and coordinate care without needing additional patient authorization.

As the FAQ notes, PHI disclosure for treatment purposes is generally allowable under the Privacy Rule.

The clarification went on to stipulate that “a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”

Personal health information access

Another FAQ clarifies patients’ broad ability to request their own health information held by health care providers. Such information potentially includes:

  • medical records;
  • billing and payment records;
  • insurance information;
  • clinical laboratory test reports;
  • X-rays;
  • wellness and disease management program information;
  • consent forms for treatment; and
  • any notes.

The FAQ lists certain exceptions to this rule, including information that is not used to make decisions about patients, as well as psychotherapy notes or information compiled in reasonable anticipation of, or use in legal proceedings.

However, generally, it reaffirms that rights to data access by patients themselves are extensive and circumscribed only in very limited circumstances.

Health data interoperability push

The clarifications come amid the HHS Centers for Medicare and Medicaid Services’s (CMS) plans to increase interoperability and information sharing.

At an event last month, the CMS signalled ambitious plans for a next-generation digital health ecosystem based on a new interoperability framework that would permit seamless information sharing and increase availability and access to personalized tools that would help patients make better health decisions.

Underpinning the system will be voluntary data exchange criteria for “trusted, patient-centered and practical data exchange” that is intended to be accessible for all network types, including health information networks and exchanges, and Electronic Health Records (EHR).

The list of companies listed as early adopters suggests wide-spread industry interest driven by companies seeing commercial potential in engaging with this effort.

, , , , , , , , ,
You may also like