HHS Releases New Guidance on Releasing PHI to Health Information Exchanges & CMS Extends Deadline for Filing 2015 Meaningful Use Attestation

The Department of Health and Human Services (HHS) released new regulatory guidance in the form of facts sheets designed to demonstrate how the HIPAA Privacy Rule permits the sharing of Protected Health Information (PHI) in Health Information Exchange (HIE). Separately, the department’s Office for Civil Rights (OCR) opened a new front on its efforts to promote health information privacy and security through helping healthcare industry stakeholders with advisory materials to educate developers of software applications that handle sensitive consumer information popular and how the HIPAA Rules might apply to scenarios in which they are used.

Authored jointly by the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health IT (ONC), the fact sheets translate the use and disclosure provisions of the HIPAA Privacy Rule allow PHI to be disclosed through HIE for purposes of a covered entity’s treatment or health care operations.   

The guidance documents do not break any new ground. The provisions of the Privacy Rule permitting covered entities or their business associates to disclose PHI for purposes of treatment, payment or health care operations (referred to as “TPO”) without first seeking the authorization of the patient or their personal representative have been in place since the adoption of the final rule in 2002. The guidance is designed to provide assurance through a series of use case examples that the disclosures or “sharing” for TPO can take place through the HIE.

For example, the Privacy Rule applies a broad based approach to the disclosure of PHI for purposes of health care treatment in which the principles of minimum necessary do not come into consideration so long as the provider receiving the patient’s information is directly or indirectly involved in the treatment for the patient. For disclosures for health care operations, the guidance provides examples of how PHI can be used or disclosed for a number of purposes like conducting quality assessment and improvement activities, developing clinical guidelines, or conducting some patient safety activities. 

However, the Privacy Rule sets certain conditions in order for PHI to be disclosed without patient authorization. First, both covered entities must have a relationship with the patient. Second, the PHI must pertain to that relationship. And, only the minimum information necessary to accomplish the purpose for which the data is required can be disclosed. 

Rounding out the trio of new releases, OCR posted new guidance on its “mHealth Developer Portal to provide scenarios where the HIPAA Privacy and Security standards might apply to mobile health applications. OCR developed the guidance to present through a series of use case scenarios that are meant to help developers determine how federal regulations might apply to products they are building. Another goal is to reduce some of the uncertainty that some stake holders cite as a barrier to innovation. 

On an unrelated note, CMS has quietly extended the deadline for hospitals and eligible providers filing the attestation for the 2015 Medicare and Medicaid Meaningful Use program year. The new deadline for filing the attestation on the CMS EHR Incentive Attestation Portal is March 11, 2016.