HIPAA Technology and Clinical Research Guidance Library

1. May a HIPAA Notice of Privacy Practices (NPP) specifically mention that protected health information (PHI) will be disclosed to and through a health information organization (HIO)? May the NPP mention that the covered health care provider uses an electronic health record (EHR)?

Yes, covered entities are permitted to include such information in their NPPs. The HIPAA Privacy Rule requires that a covered entity’s NPP describe the types of uses and disclosures of PHI a covered entity is permitted to make. The Rule also requires that a covered entity’s NPP include at least one example of the uses and disclosures the covered entity is permitted to make for treatment, payment, and health care operations purposes. See 45 C.F.R. § 164.520(b).  While the Privacy Rule does not require that these examples describe the covered entity’s disclosure of PHI to and through a HIO for treatment and other purposes, or that a covered health care provider uses an EHR, the Privacy Rule does not preclude a covered entity from including in its NPP additional information concerning the covered entity’s participation in these activities. Alternatively, a covered entity may wish to provide the individual with a separate notice of the disclosures that may be made to and through a HIO, and how the individual’s health information will be protected.

Such notice that mentions that PHI will be disclosed to and through a HIO or that the covered health care provider uses an EHR would help facilitate the openness and transparency in electronic health information exchange that is important for building trust and thus, is encouraged. Some individuals also may find the fact that a health care provider participates in electronic health information exchange, or that the provider uses an EHR, to be an important factor that could lead individuals to choose that provider over another. Also, to the extent the individual is provided with certain choices of how or if the individual’s information is to be exchanged through a HIO, notice of the disclosures a covered entity may make to and through a HIO, as well as how the individual’s information will be protected, would be an important element of informing such choices.

2. Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)?

Generally, no. The HIPAA Privacy Rule’s NPP obligations extend only to HIPAA covered entities and the functions a HIO generally performs do not make it a HIPAA covered entity (i.e., a health plan, health care clearinghouse, or covered health care provider). See 45 C.F.R. § 160.103 (definition of “covered entity”). However, while a HIO does not itself have a HIPAA obligation to provide a NPP to individuals, the Privacy Rule permits covered entities that participate in electronic health information exchange with the HIO to provide notice to individuals of the disclosures that will be made to and through the HIO and through the network, as well as how individuals’ health information will be protected by the HIO.

3. May covered entities that operate in electronic environments provide individuals with their HIPAA Notice of Privacy Practices (NPP) electronically?

Yes, provided the individual agrees to receive the covered entity’s NPP electronically and such agreement has not been withdrawn (although the individual always retains the right to receive a paper copy of the NPP upon request). Further, where health care is delivered to an individual electronically, such as through e-mail, or over the Internet, the provider must send an electronic NPP automatically and contemporaneously in response to the individual’s request for service. Except in an emergency treatment situation, a covered entity that has a direct treatment relationship with an individual and who delivers an NPP electronically also must make a good faith effort to obtain a written acknowledgment of receipt, either electronically or through other means. In addition, the HIPAA Privacy Rule requires a covered entity that maintains a website providing information about the covered entity’s services or benefits to prominently post its NPP on its website. See 45 C.F.R. § 164.520(c).

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.