Having problems with message search?
Question: Does HIPAA allow the sharing of ePHI between unaffiliated providers?
Background: We are entering into an agreement with a non-affiliated health care provider to allow us to utilize their HIS system. They will be setting us up as a separate facility on their system through an ASP arrangement. We will have access to all their patients' demographics. When we go to register a patient for our facility, we will query their patient history file. If a patient has been to their facility, we will utilize that information.
Concern: There is no disclosure by the provider that their demographic information will be shared with our
facility. Some of my colleagues are suggesting that it is permissible under the permissions granted through treatment, payment and health care operations clause.
facility. Some of my colleagues are suggesting that it is permissible under the permissions granted through treatment, payment and health care operations clause.
Response: As this concerns ePHI, there are some standards and requirements that must be considered from both the HIPAA Security Rule and the HIPAA Privacy Rule. I have placed a link for the actual verbiage from the Rules in brackets [ ] beside each excerpt from the rules so that you might draw your own conclusions.
The HIPAA Privacy Rule
[http://www.bricker.com/legalservices/practice/hcare/hipaa/164.506c.asp]
§ 164.506(c) Uses and disclosures to carry out treatment, payment, or health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or
disclosure is consistent with other applicable requirements of this subpart.
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or
disclosure is consistent with other applicable requirements of this subpart.
[http://www.bricker.com/legalservices/practice/hcare/hipaa/164.520b.asp]
Content of Notice of Privacy Practices - § 164.520(b)(1)(ii) Uses and disclosures. The notice must contain:
A. A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations.
B. A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual’s written authorization.
The HIPAA Security Rule
Administrative Safeguards - § 164.308(b)
1. Standard: Business associate contracts and other arrangements. A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.
2. This standard does not apply with respect to--
i. The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual.
Based on the excerpts from the HIPAA Privacy and Security Rules, and applying the definitions of use, disclosure and business associate, and the standard for minimum necessary [http://www.bricker.com/legalservices/practice/hcare/hipaa/164.502b.asp], the following are actions that the covered entities may want to consider.
1. The provider that is allowing access to their HIS by an unaffiliated provider should include in their NPP, or joint NPP that PHI is provided to other providers for the other providers' treatment, payment and health care operations. Through a BAA or other arrangement, the provider must document satisfactory assurances that the other provider will appropriately safeguard the information. Depending on the security technical capabilities of the HIS or the technical environment in which the HIS exists, access to an individual's ePHI by the unaffiliated provider may require implementation of technical security safeguards to audit system activity and also require the unaffiliated provider to abide by the HIS provider's rules of access.
2. The unaffiliated provider using another's HIS for treatment, payment and health care operations should include this in their NPP or joint NPP. The unaffiliated provider should provide the HIS's provider assurances that the ePHI will by safeguarded and will need to set up rules of access and train their workforce on these rules. Depending on the technical capability of the unaffiliated provider, some method of access control and access monitoring will need to be implemented.
Has anyone encountered this type of arrangement? How were the HIPAA standards and requirements resolved? For discussion on this subject please visit the ShareHIPAA2 group (the discussion companion of the ShareHIPAA group) home page. The messages section (Message Archives) are available for public view/access. If you want to share your comments you will need to join ShareHIPAA2. The ShareHIPAA2 group's home page link is:
http://health.groups.yahoo.com/group/ShareHIPAA2 To join, select "Join This Group!"
Thank you,
Barbara McGowin
HIT Recruiting
Resource Consultant
(843) 824-8537
Connecting Health Care Organizations with People,
Products and Services to Achieve HIPAA Compliance.
HIT Recruiting
Resource Consultant
(843) 824-8537
Connecting Health Care Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Offline 
Send Email