What Are HIE Data Sharing Rules?

A health information exchange (HIE) is an organization that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities. These entities include healthcare providers, health plans, and business associates. The sharing is for payment, treatment, or healthcare operations purposes. The Department of Health and Human Services recently issued guidance as to how and when covered entities or their business associates may use HIEs to share or disclose protected health information for the public health activities of a public health authority. HIE data sharing is permitted under specific circumstances. HIE data sharing rules are discussed below.

What Are Public Health Activities and Authorities?

Health information exchanges contain critical information needed by public health authorities (PHAs). Exchanges, working with public health authorities by sharing ePHI, help communities  prevent, respond, and recover from public health emergencies, such as COVID-19.

HIE data sharing rules center around when an HIE may share ePHI with or report ePHI to a PHA to assist or enable the public health authority to carry out public health activities.

HIE Data Sharing Rules

The HIE data sharing rules guidance addresses when an HIE may receive ePHI without written patient authorization. Under the HIPAA Privacy Rule, a covered entity or business associate may disclose ePHI to an HIE, in order for the HIE to report PHI to a public health authority conducting public health activities, when:

The disclosure is required by law.

For example, where a state law requires hospitals to transmit patient treatment and laboratory testing data to an HIE for the purpose of reporting to the appropriate state or local public health department, the hospital would not violate the Privacy Rule when it transmits the data to an HIE for that purpose.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

When an HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA for public health purposes.

An HIE acting as such a business associate may disclose PHI to a PHA when the terms of the business associate agreement (BAA) expressly permit or require the HIE to disclose PHI to a PHA on behalf of a covered entity, directly or through another business associate. Under the new guidance, the Office for Civil Rights (OCR) will not impose penalties on a business associate HIE for disclosing PHI to a PHA during the COVID-19 public health emergency when its BAAs do not authorize the disclosure, consistent with OCR’s Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. For example, during the COVID-19 public health emergency, an HIE may transmit patient test results it receives in the HIE’s role as a covered healthcare provider’s business associate, in response to a PHA’s request, regardless of whether the HIE’s BAA with the provider permits the disclosure.

When an HIE is acting under a grant of authority or contract with a PHA for a public health activity.

A covered entity, or a business associate acting on the covered entity’s behalf (i.e., the covered entity’s HIE), may disclose PHI to an HIE that is acting under a grant of authority from, or contract with, a PHA authorized by law to collect or receive such information for public health activities. Examples of such disclosures include:

A PHA can engage an HIE to collect laboratory test results from healthcare providers, regardless of whether the providers participate in that HIE. A lab that is not a participant in the HIE may transmit patient test results to the HIE, for transmission to the public health authority. The transmission is permitted because the HIE is acting under the PHA’s grant of authority to obtain PHI for public health activities.

HIE Data Sharing Rules and the Minimum Necessary Standard

Under HIE data sharing rules, a PHA’s request for PHI to a covered entity must seek the minimum necessary information the PHA needs for its stated public health purpose. The Privacy Rule allows providers to rely on the PHA’s representation that the request is for the minimum necessary information, provided that reliance is reasonable under the circumstances. Examples of when providers may rely upon a PHA’s representation as reasonable include:  

  • The Centers for Disease Control and Prevention (CDC), in its capacity as a PHA, requests that a provider disclose PHI to it, for confirmed or suspected cases of patients exposed to COVID-19, using electronic case reporting (ECR). ECR is the automated generation and transmission of case reports from an electronic health record (EHR, or digital paper chart) to a public health agency, for review and action.
  • A state health department requests that a provider report recent diagnoses of the flu using an electronic continuity of care document. This document is a summary record that includes patient identity, demographic information, and lab test results.
  • A local PHA requests that covered healthcare providers participating in a regional HIE submit.

HIE Data Sharing Rules and Provider Direct Disclosure of PHI to a PHA

Under the HIE data sharing rules, a provider may directly disclose PHI to a public health authority through an HIE, without the PHA having to directly ask for it. The Privacy Rule specifically permits provider disclosure of PHI to a PHA, using a health information exchange. The disclosure must be for public health activities, and the provider, under HIE data sharing rules, must know that the PHA is using the exchange (or that the exchange is acting on behalf of the public health authority) to collect such information. For example, a local health department that is authorized to obtain COVID-19 test results and to track the health of tested individuals, can give an HIE the authority to receive summary records about individuals tested from local providers. The provider, with knowledge that the health department is using the HIE for a public health activity, can transmit testing records to the HIE for reporting to the health department. This transmission does not violate the minimum necessary standard. It also expedites sharing of information in a time-sensitive emergency.

What Rights Do Patients Have?

If a provider discloses PHI for public health purposes, the provider must give notice of that fact to individuals, through the Notice of Privacy Practices (NPP). The NPP must describe purposes for which a provider may use or disclose PHI without written authorization; disclosure for public health activities is one of these purposes. However, since the Privacy Rule generally does not require (as opposed to permit) a provider to make disclosures for public health purposes, a provider may choose to honor an individual’s request to not disclose PHI about the individual to a PHA, provided that other law does not require the disclosure. In addition, when a patient asks a provider for an accounting of the patient’s PHI disclosures, the accounting must include disclosures made for public health purposes. 

See How It Works