HIPAA Technology and Clinical Research Guidance Library

1. Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?

No. The Privacy Rule establishes a federal baseline of privacy protections and rights, which applies to covered entities consistently across state borders. The Privacy Rule, however, as required by HIPAA, does not preempt State laws that provide greater privacy protections and rights. Thus, as with covered entities that conduct business today on paper in a multi-jurisdictional environment, covered entities participating in electronic health information exchange need to be cognizant of States with more stringent privacy laws that will affect the exchange of electronic health information across State lines. In addition, other Federal laws also may apply more stringent or different requirements to such exchanges depending on the circumstances.

Covered entities and health information organizations (acting as their business associates) which participate in multi-jurisdictional electronic health information exchange should establish privacy policies for the network that accommodate these variances.

2. How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule. For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions. Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange. However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required. In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization. Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.

3. Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to Opt-In or Opt-Out of electronic health information exchange?

Yes. In particular, the Privacy Rule’s provisions for optional consent and the right to request restrictions can support and facilitate individual choice with respect to the electronic exchange of health information through a networked environment, depending on the purposes of the exchange. The Privacy Rule allows covered entities to obtain the individual’s consent in order to use or disclose protected health information (PHI) for treatment, payment, and health care operations purposes. If a covered entity chooses to obtain consent, the Privacy Rule provides the covered entity with complete flexibility as to the content and manner of obtaining the consent. 45 C.F.R. § 164.506(b). Similarly, the Privacy Rule also provides individuals with a right to request that a covered entity restrict uses or disclosures of PHI about the individual for treatment, payment, or health care operations purposes. See 45 C.F.R. § 164.522(a). While covered entities are not required to agree to an individual’s request for a restriction, they are required to have policies in place by which to accept or deny such requests. Thus, covered entities may use either the Privacy Rule’s provisions for consent or right to request restrictions to facilitate individual choice with respect to electronic health information exchange.

Further, given the Privacy Rule’s flexibility, covered entities could design processes that apply on a more global level (e.g., by requiring an individual’s consent prior to making any disclosure of PHI to or through a health information organization (HIO), or granting restrictions only in which none of the individual’s information is to be exchanged to or through the HIO) or at a more granular level (such as by type of information, potential recipients, or the purposes for which a disclosure may be made). Whatever the policy, such decisions may be implemented on an organization-wide level, or across a HIO’s health information exchange (such as based on the consensus of the health information exchange participants).

4. Who has the right to consent or the right to request restrictions with respect to whether a covered entity may electronically exchange a minor’s protected health information to or through a health information organization (HIO)?

As with a minor’s paper medical record, generally a parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor is the personal representative of the minor under the HIPAA Privacy Rule and, thus, is able to exercise all of the HIPAA rights with respect to the minor’s health information. Thus, a parent, guardian, or other person acting in loco parentis who is a personal representative would be able to consent to, if the covered entity has adopted a consent process under the Privacy Rule, or to request restrictions on, disclosures of the minor’s health information to or through a HIO for treatment or other certain purposes. However, there are a few exceptions when the parent, guardian, or other person acting in loco parentis is not the personal representative of the minor child, such as:

• when State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;
• when a court determines or other law authorizes someone other than the parent, guardian, or person acting in loco parentis to make treatment decisions for a minor; and
• when a parent, guardian, or person acting in loco parentis agrees to a confidential relationship between the minor and a health care provider. In such cases, it is only the minor, and not the parent(s), who may exercise the HIPAA rights with respect to the minor’s health information.

5. Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)?

Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could be developed, either on an organization level or HIO level, for HIV/AIDS, mental health, genetic, and/or substance abuse information. In addition, there may be other Federal and State laws that will affect a covered entity’s exchange of this sensitive information to or through a HIO, and covered entities should consider these other laws when developing individual choice policies. For example, such laws may prescribe the form of consent that is required or create other requirements for the disclosure of information based on the type of information or the intended recipient.

6. Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)?

Yes, provided the covered entity has obtained the individual’s written authorization in accordance with 45 C.F.R. § 164.508. See 45 C.F.R. § 164.501 for the definition of “psychotherapy notes.” With few exceptions, the Privacy Rule requires a covered entity to obtain individual authorization prior to a disclosure of psychotherapy notes, even for a disclosure to a health care provider other than the originator of the notes, for treatment purposes. For covered entities operating in an electronic environment, the Privacy Rule does, however, allow covered entities to disclose protected health information pursuant to an electronic copy of a valid and signed authorization, as well as to obtain HIPAA authorizations electronically from individuals, provided any electronic signature is valid under applicable law.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.