HIPAA does not hinder data exchange in care coordination, care planning and case management, according to a recent blog post by Office of the National Coordinator Chief Privacy Officer Lucia Savage (pictured) and Aja Brooks, a privacy analyst with the agency.
The post, the third in a series of four on the topic, clarifies the parameters when sharing information for these purposes.
For instance, an inpatient facility that needs to transfer a patient to a rehabilitation facility does not need written patient authorization to disclose the patient's relevant protected health information (PHI) to prospective rehab facilities, although the disclosing facility still needs to comply with HIPAA's security rule when sending the information. Savage and Brooks also clarify that the disclosing facility's role in protecting the information is not absolute.
"Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner," they write. "This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity's business associate (BA)."
In addition, a provider that hires a care planning company as its business associate to assist in care planning can obtain information from other providers to provide to the business associate. Moreover, the other providers can send their information to the business associate directly without needing to enter into separate business associate agreements of their own with the business associate.
Similarly, if a health plan hires a case management company to provide nutritional advice in order to assist in diabetes care, the case management company, as the plan's business associate, can query other relevant providers to obtain information that may impact that nutritional advice.
ONC and the Department of Health and Human Services' Office for Civil Rights have been releasing guidance to reduce confusion about HIPAA, which apparently has made covered entities reluctant to share information with other covered entities and with patients.
To learn more:
- read the blog post