The Health Insurance Portability and Accountability Act (HIPAA) dictates how and when protected health information (PHI) can be shared. There has been some confusion around sharing PHI amongst covered entities (CEs). As such the Office of Civil Rights (OCR) released two new FAQs to further clarify the law. 

FAQ 1: Health Care Operations Disclosure 

The first FAQ relates to when CEs should be sharing PHI in relation to health care operations. The need to share PHI between covered entities (CEs) is a standard business practice; HIPAA law reflects this need but established certain scenarios in which sharing PHI is appropriate.  

PHI can be disclosed between covered entities (CEs) for health care operations when:

  1. Both parties have or had a relationship with the patient’s PHI;
  2. The PHI being requested relates to such relationship;
  3. The purpose of the disclosure is for health care operations, or to detect fraud, abuse, or compliance.

The disclosure of PHI is subject to HIPAA Privacy Rule standards, meaning that the minimum necessary rule still applies. 

FAQ 2: PHI Uses and Disclosures When the Initial Reason Differs

The second discusses what a covered entity (CE) can do with the PHI once they receive it. When a covered entity (CE) receives PHI, they are permitted to use and disclose PHI without individual authorization, whether or not the PHI is being used for its initial purpose.

However, covered entities (CEs) cannot use PHI for marketing purposes without the consent of the individual. The definition of “marketing” under HIPAA excludes communications that relate to a health product or service, as long as the covered entity (CE) does not receive any financial benefit from the exchange. 

Need Help with HIPAA Compliance?

Covered entities (CEs) must be aware of all aspects of HIPAA law that they are subject to. Compliancy Group simplifies your compliance allowing you to confidently focus on your business. Our cloud-based compliance software the GuardTM can be accessed from any device connected to the internet. In addition, The Guard stores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!