What Are HIE Data Sharing Rules?

A health information exchange (HIE) is an organization that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities. These entities include healthcare providers, health plans, and business associates. The sharing is for payment, treatment, or healthcare operations purposes. The Department of Health and Human Services recently issued guidance as to how and when covered entities or their business associates may use HIEs to share or disclose protected health information for the public health activities of a public health authority. HIE data sharing is permitted under specific circumstances. HIE data sharing rules are discussed below.

What Are Public Health Activities and Authorities?

Health information exchanges contain critical information needed by public health authorities (PHAs). Exchanges, working with public health authorities by sharing ePHI, help communities  prevent, respond, and recover from public health emergencies, such as COVID-19.

HIE data sharing rules center around when an HIE may share ePHI with or report ePHI to a PHA to assist or enable the public health authority to carry out public health activities.

HIE Data Sharing Rules

The HIE data sharing rules guidance addresses when an HIE may receive ePHI without written patient authorization. Under the HIPAA Privacy Rule, a covered entity or business associate may disclose ePHI to an HIE, in order for the HIE to report PHI to a public health authority conducting public health activities, when:

The disclosure is required by law.

For example, where a state law requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department, the hospital would not violate the Privacy Rule when it transmits the data to an HIE for that purpose.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

When an HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA for public health purposes.

An HIE acting as such a business associate may disclose PHI to a PHA when the terms of the business associate agreement (BAA) expressly permit or require the HIE to disclose PHI to a PHA on behalf of a covered entity, directly or through another business associate. Under the new guidance, the Office for Civil Rights (OCR) will not impose penalties on a business associate HIE for disclosing PHI to a PHA during the COVID-19 public health emergency when its BAAs do not authorize the disclosure, consistent with OCR’s Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. For example, during the COVID-19 public health emergency, an HIE may transmit patient test results it receives in the HIE’s role as a covered healthcare provider’s business associate, in response to a PHA’s request, regardless of whether the HIE’s BAA wi