Following a Notice of Enforcement Discretion ("NED") issued earlier this year (discussed in our previous article here), the Office for Civil Rights ("OCR") has issued detailed guidance addressing the sharing of protected health information ("PHI") through health information exchanges ("HIEs") for public health activities of a public health authority ("PHA"). An HIE enables participants to share electronic PHI ("ePHI") for treatment, payment and health care operations purposes in accordance with HIPAA. HIEs often provide features like public health reporting to PHAs.

HIPAA permits the disclosure of PHI to PHAs for certain public health activities. PHAs could include the Centers for Disease Control and Prevention ("CDC") or a state or other local health department. The PHI required by law, or the minimum PHI necessary to satisfy a legally permissive disclosure, may be shared by a covered entity or by a business associate on the covered entity's behalf with an HIE as follows:

  1. When the disclosure to the HIE is the required mechanism to report PHI to a PHA, as required or permitted by law, and the HIE is acting on behalf of the PHA under an engagement, or, if the PHA is also a covered entity, a business associate agreement ("BAA");
  2. When the HIE is the business associate of the covered entity that is required or permitted to make the disclosure to the PHA and is making the disclosure on behalf of the covered entity; or
  3. When the HIE is a subcontractor business associate of another business associate of the covered entity that is required or permitted to make the disclosure to the PHA and is making the disclosure on behalf of the covered entity.

A summary of the guidance FAQs are as follows.

Disclosing PHI to an HIE to Provide Reports to a PHA Without Patient Authorization

A covered entity, or the covered entity's business associate on behalf of the covered entity, is permitted to utilize an HIE to share PHI with a PHA for public health activities. This includes the following situations:

  1. Where the disclosure is "required by law," such as a mandate that requires a health care provider to transmit certain lab results to a local public health department. Covered entities and their business associates may make disclosures of PHI that are required by law but should limit the disclosure to what is required by law.
  2. Where a business associate of a covered entity, including an HIE, is permitted by the BAA between the entities to disclose PHI to a PHA on the covered entity's behalf. PHI can be shared by the business associate directly with the PHA or through a subcontractor business associate subject to an appropriate subcontractor BAA. Notably, in light of the COVID-19 public health emergency, the NED currently states that OCR will not assess penalties against business associates and their subcontractors, including HIEs, that disclose PHI to PHAs when their BAAs do not expressly permit such disclosure for public health activities. This means that there is currently no risk to business associates and subcontractors who share PHI with a PHA from a HIPAA Privacy Rule perspective, at least until the conclusion of the state of emergency. However, as addressed in our earlier alert, additional precautions are recommended to ensure that such sharing does not risk compliance with contractual requirements or state law, or violate the HIPAA Security Rule. When the state of emergency concludes, BAAs would need to expressly authorize sharing PHI with PHAs to allow continued disclosure for public health activities.
  3. Where a covered entity or its business associate, including an HIE, discloses PHI to an HIE that is acting under contract or granted authority by the PHA to collect or receive such PHI for public health activities. In such instances, the covered entity or business associate need not have a BAA with the PHA's HIE because the HIE is not acting for or on behalf of the covered entity or the business associate.

When the disclosure is required by law, only the PHI necessary to meet the legal requirement may be released. Where the disclosure is permitted by law, only the minimum PHI necessary for the public health activity should be disclosed. However, covered entities and their business associates may rely, if reasonable, on a PHA's or the PHA's HIE's representations that the PHI requested is the minimum necessary to accomplish the public health purpose.

Relying on PHA's Request to Disclose a Summary Record as Minimum Necessary

If reasonable under the circumstances, a covered entity (or its business associate acting on its behalf) is permitted to rely on a PHA's (or the PHA's HIE's) representation that the request is the minimum necessary PHI for stated public health purposes. Neither a covered entity nor its business associate is required to make an independent determination that such PHI is the minimum necessary. PHI in a summary record, such as that generated by the covered entity's electronic health record system, may satisfy the minimum necessary requirements and may be made available to an HIE to provide to a PHA.

No Direct Request from the PHA Required

A covered entity (or its business associate acting on its behalf) is permitted to share PHI with a PHA or such PHA's HIE without a specific request from the PHA to the covered entity. If a covered entity is aware of a PHA's engagement with an HIE to receive, for example, summary records of individuals testing positive for COVID-19, then a covered entity (or its business associate acting on its behalf) could transmit a summary record to the HIE for purposes of reporting to the PHA.

During the COVID-19 Public Health Emergency, HIEs May Disclose PHI to a PHA for Public Health Purposes

Pursuant to the NED, OCR will not impose penalties for violations of the HIPAA Privacy Rule against HIEs acting as business associates (or the covered entities on whose behalf they are acting) that make good faith uses or disclosures of a PHI for public health or health oversight activities, even if such uses or disclosures are not permitted by the BAA between the parties. However, a business associate is required to notify the covered entity within 10 business days of such disclosures. Even with the NED in effect, it is still possible for an HIE to share PHI in a manner that violates HIPAA, such as sending the PHI in an unsecured manner inconsistent with the HIPAA Security Rule. Further, as discussed here, additional contractual or state law obligations may prohibit such use or disclosure, so HIEs will want to be aware of any additional requirements prior to making such disclosures on behalf of covered entities.

Notice to Individuals and Accounting of Disclosures

A covered entity's notice of privacy practices ("NPP") must provide individuals with notice as to how PHI is disclosed for public health purposes, including without an individual's authorization. OCR notes that the HIPAA Privacy Rule permits, but does not require, that PHI be disclosed for public health purposes. To the extent that a covered entity has chosen not to disclose PHI without an individual's authorization (consistent with other applicable law), such covered entity would need to make individuals aware of any changes to this policy. For example, if state law permits certain disclosures to a PHA for public health activities but the covered entity has chosen not to make such disclosures without the individual's authorization or allows individuals to request that the covered entity not share PHI for such purposes (e.g., vaccine registries), and now the covered entity wishes to share such PHI for such purposes without authorization or a right to opt-out, the covered entity would be required to update its NPP and notify individuals of the revised policy.

Disclosure to a PHA must also be included in an accounting of disclosures report to individuals. While business associates are not required to have an NPP, they can be held directly liable for failure account for disclosures, including those made to PHAs or their HIEs.

Practical Takeaways

  • Covered entities receive numerous requests to share data, including PHI, for public health reporting purposes, and such requests have likely increased due to the current pandemic. These requests must be carefully scrutinized because bad actors have attempted to impermissibly obtain data under the guise of official requests. Once a request has been verified as legitimate, this OCR guidance clarifies how and when PHI may be shared with PHAs through HIEs, acting on behalf of either the covered entities or the PHAs.
  • Covered entities should confirm that their NPPs address these types of disclosures without authorization to PHAs and confirm that they or their business associates document such disclosures so that a complete accounting of disclosures may be made upon an individual's request.
  • Additionally, covered entities and business associates, including HIEs, may want to revise their BAAs to expressly address use and disclosure of PHI for public health or health oversight activities, including reports to PHAs or their HIEs, to ensure continued compliance with HIPAA when the current state of emergency subsides and the existing NED expires.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.