HIPAA Privacy Rule and Health IT Update

January 7, 2009

The Office for Civil Rights (OCR) recently published new guidance on how the HIPAA Privacy Rule can facilitate the exchange of electronic health information. While not creating additional regulations, the guidance discusses several key aspects of the Privacy Rule and common questions for HIPAA covered entities.

The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment guidance explains the role of Health Information Organizations (HIOs) relating to six separate aspects of the Privacy Rule: (1) correction of protected health information (PHI); (2) openness and transparency; (3) individual choice; (4) limitations on the collection, use, and disclosure of information; (5) safeguards; and (6) accountability.

Note: The OCR released the above information in seven separate documents. For convenience, we have consolidated these documents into a single document which may be obtained by clicking here.

Significantly, the guidance further clarifies the status of HIOs under the Privacy Rule. A basic tenet of HIPAA is that the Privacy Rule only applies to “covered entities” (health care providers that conduct covered financial and administrative transactions, health care clearinghouses, and health plans). The functions of HIOs, however, do not make them covered entities. Instead, HIOs generally facilitate the exchange of electronic PHI between multiple entities that participate in a HIO network and are considered “business associates” under the Privacy Rule. Therefore, the Privacy Rule applies to HIOs only indirectly, by way of contract (through a “Business Associate Agreement”). Notably, the OCR’s guidance confirms that the Privacy Rule allows for covered entities participating in a HIO network to operate under a single Business Associate Agreement, as long as it establishes parameters for uses and disclosures of PHI in a manner consistent with the Privacy Rule.

The OCR also released additional HIPAA Privacy guidance regarding individuals’ right of access to PHI in new forms of health information technology and how the Privacy Rule may apply to personal health records. Although the information contained in this guidance is not new, the OCR has offered it to help covered entities and others keep pace with the Privacy Rule as health information technology expands. See: http://www.hhs.gov/ocr/hipaa/hit.

Finally, the HIPAA Privacy guidance documents were released in conjunction with the Department of Health and Human Services’ new Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (“Privacy and Security Framework”), which attempts to establish a set of privacy principles to “guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality.” See: http://www.hhs.gov/healthit/privacy/framework.html.