In continuation of our two-part series on the HIPAA Fact Sheets released in early February 2016, we'll be discussing the "Permitted Uses and Disclosures: Exchange for Treatment."
In our first post, we listed the authorized uses of PHI transfers for healthcare operations that did not require patient authorization. The HHS, ONC, and OCR collaborated on the development of these two fact sheets to ease the confusion among healthcare providers on the appropriate use and disclosure of PHI.
Note: HIPAA permits Covered Entities (CEs) to use and disclose PHI without first obtaining a patient's authorization so long as the proper relationship exists between the CE and the recipient CE, or Business Associate (BA). This relationship is best outlined by these HIPAA guidelines.
Below are three common scenarios that require HIPAA compliance during the transfer of PHI for coordinating treatments between health care providers.
Scenario 1: Hospital and Treating Physician Exchanges
In the case of a hospital (CE) that discloses the PHI of its patients to a receiving treatment provider in an office, the receiving hospital (recipient CE) is responsible for safeguarding the PHI itself. Compliance with HIPAA includes the permissible transfers as well as the disclosures of subsequent uses or breaches. The disclosing hospital is also responsible for securely disclosing the PHI to the receiving physician. This includes adequate measures to ensure that the information gets to the right person.
Scenario 2: Treatment through Care Planning by a Health Care Provider
Providers (CEs) who want to ensure the comprehensiveness of their care plans and decide to hire a care planning company (BA) will need to enter into a Business Associate Agreement (BAA). BAs can request PHI from (1) the hospitals the patients have been admitted to for the same medical care and (2) from the patients’ health plans. These types of disclosure require Security Rule compliance.
A patient's other providers--who send PHI to the original provider's BA--are not responsible for what that BA does with the PHI, so long as it was disclosed securely. Furthermore, responding CEs can disclose PHI to the original provider’s BA for care planning purposes without having to enter into their own BAAs with the care planning company.
Scenario 3: Downstream Health Care Providers and Treatment
Inpatient facilities (CEs) preparing to discharge a patient with ongoing care needs will have to identify--along with the patient--a new rehabilitation facility (recipient CE). The current hospital may disclose relevant PHI to the new facility using CEHRT technology, but will also require Security Rule compliance.
Since this process is in anticipation of future treatment, it can be carried out under 45 CFR 164.506 (c)(2). The current facility is accountable for its HIPAA compliance, including the security measures it takes to send its PHI to the right person. Likewise, the new rehabilitation facility will be held responsible for safeguarding the PHI once it's been received.
As mentioned in the fact sheet, the information in this overview is not meant to serve as legal advice nor to be used in place of legal counsel.