ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules.

The HIPAA Privacy Rule came into effect in April 2003 and set new standards to protect individuals’ personal health information. The HIPAA Privacy Rule sets limits and conditions on when personal health information can be used or disclosed without prior consent being obtained from patients. For example, the HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to share the personal health information of patients for treatment purposes and healthcare operations.

Health information many need to be shared between two healthcare providers involved in the treatment of a patient and personal health information may need to be shared between a healthcare provider and a health plan for example.

The ONC has previously released fact sheets explaining HIPAA Rules concerning the sharing of health information for the purpose of treatment and for healthcare operations. The latest fact sheet covers the sharing of health information for public health activities.

The sharing of health information has been essential for containing Ebola and monitoring Zika virus infections, and well as supporting other public health activities such as responding to natural disasters and tackling major health crises such as lead poisoning.

HIPAA does not permit healthcare organizations to share entire medical histories, instead healthcare organizations are required to limit disclosure to the “minimum necessary” for a specific purpose.

The fact sheet lists nine different hypothetical scenarios where health information could be shared without the consent of patients. The scenarios apply to all covered entities, although business associates of covered entities are only permitted to share ePHI if they have been authorized to do so by a covered entity in their business associate agreement (BAA).

The fact sheet covers:

  • Reportable Diseases: Exchanging ePHI with the U.S. Centers for Disease Control (CDC).
  • Public Health Surveillance: Exchanging patient data with health departments to monitor cancer occurrence.
  • Public Health Investigations: Exchange of ePHI with the Department of Health to monitor and investigate disease outbreaks.
  • Public Health Interventions: Exchanging data with health departments on lead poisoning.
  • Product Recalls: Exchanging information on patients regarding medical devices that are under Food and Drug Administration (FDA) jurisdiction.
  • Medical Surveillance in the Workplace: Exchange of ePHI to evaluate work-related illness and injuries.
  • Sharing data using EHR technology

The Fact Sheet – Permitted Uses and Disclosures: Exchange for Public Health Activities can be downloaded on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.