HIPAA Compliance Fact Sheet: An Overview for Healthcare Operations

Image via Dozdrapebh

Image via Dozdrapebh

The United States Department of Health and Human Services (HHS), Office of the National Coordinator for Health IT (ONC), and Office for Civil Rights (OCR) have worked together to develop two fact sheets on HIPAA Permitted Uses and Disclosures. The effort was made to lessen confusion among healthcare organizations on when and where they could transfer PHI without requiring specific patient authorization. 

The fact sheet entitled "Permitted Uses and Disclosures: Exchange for Health Care Operations" provides the following examples of permitted transfers between a covered entity (CE) and another CE or business associate (BA). The following activities are listed as permitted for the purposes of healthcare care operations activities and do not require written patient consent so long as the proper relationship between the two parties has been established as per outlined HIPAA guidelines: 

  • Conducting quality assessment and improvement activities

  • Developing clinical guidelines

  • Conducting patient safety activities as defined in applicable regulations

  • Conducting population-based activities relating to improving health or reducing health care cost

  • Developing protocols

  • Conducting case management and care coordination (including care planning)

  • Contacting health care providers and patients with information about treatment alternatives

  • Reviewing qualifications of health care professionals

  • Evaluating performance of health care providers and/or health plans

  • Conducting training programs or credentialing activities

  • Supporting fraud and abuse detection and compliance programs

These activities are permitted so long as (1) both CEs have or had a relationship with the patient, (2) the transferred PHI is related to the relationship and (3) the 'discloser' only discloses the minimum information required to execute the health care operation. The fact sheet includes subsequent examples of uses by health care management companies for quality improvements and assessments. 

More information about the HIPAA fact sheets and requisite relationship requirements between involved parties can be found on the HHS Website