Is Digital Exchange of Health Information supported by HIPAA at the Local, State and Federal levels?

The government continues to work hard to provide a properly functioning health system to everyone at the federal, state, and local level. There are government oversight agencies that may license health insurance companies or health care professionals, administer a state Medicaid program and monitor efficacy and compliance of health care programs. They are also quite particular about ensuring that individual civil rights related to the usage of patients’ health information. To make it all happen, such agencies often require health information about individuals that may raise questions about the HIPAA (Health Insurance Portability and Accountability Act).
In order to back these activities and to assist in making sure that these important activities can benefit from our nation’s Health IT infrastructure, the U.S. Department of Health in collaboration with the Office for Civil Rights (OCR) and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has recently published a new fact sheet.
The mentioned fact sheet explains how a key provision of the HIPAA Privacy Rule allows covered organizations to share protected health information (PHI) digitally with health oversight agencies without procuring a written authorization from the patient or the concerned individual. The new fact sheet features easy-to-understand examples explicating how this HIPAA provision works across areas where health oversight occurs. These examples comprise:

• A physician desiring to send his patients’ PHI to the state medical board examining patient complaints
• A health plan sharing beneficiary PHI with the state health insurance commissioner accountable for evaluating insurers’ conduct in the market.
• A hospital that intends to share PHI with the U.S. Food and Drug Administration in relation to an investigation into the safety concerns of certain implantable devices.
• A nursing home sending PHI to the state Medicaid fraud office in reply to its application for data that could authenticate compliance with Medicaid billing guidelines.
• A health plan transferring beneficiary enrollment PHI to a state insurance department doing an audit to guarantee civil rights compliance.
• Providers revealing PHI to Centers for Medicare and Medicaid Services (CMS) contractors carrying out Medicaid compliance duties on behalf of CMS.

The health oversight fact sheet further explains how important provisions of the HIPAA may apply to the sending and receiving of health information for health oversight, such as data Security Rule considerations or the ‘minimum necessary’ rule.
The latest fact sheet is a portion of the collection of ONC’s blog series and ONC/OCR fact sheets explaining how HIPAA secures patient data secure and eases the flow of health information. Topics discussed in the mentioned series include how covered entities are allowed to share PHI for necessary activities, such as treatment, health care operations, public health activities and payments. For more such reports please subscribe to our newsletter here.