FAQs Archive

Q: Does the HIPAA Privacy Rule allow covered entities participating in electronic health information exchange with a health information organization (HIO) to establish a common set of safeguards?

Yes. The Privacy Rule requires a covered entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information ( PHI ), including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule. See 45 CFR § 164.530(c) . Each covered entity can evaluate its own business functions and needs, the types and amounts of PHI it collects, uses, and discloses, size, and business risks to determine adequate safeguards for its particular circumstances. With respect to electronic health information exchange, the Privacy Rule would allow covered entities participating in an exchange with a HIO to agree on a common set of privacy safeguards that are appropriate to the risks associated with exchanging PHI to and through the HIO. In addition, as a requirement of participation in the electronic health information exchange with the HIO, these commonly agreed to safeguards also could be extended to other participants, even if they are not covered entities. A common or consistent set of standards applied to the HIO and its participants may help not only to facilitate the efficient exchange of information, but also to foster trust among both participants and individuals.

Q: Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)?

Generally, no. The HIPAA Privacy Rule ’s NPP obligations extend only to HIPAA covered entities and the functions a HIO generally performs do not make it a HIPAA covered entity (i.e., a health plan, health care clearinghouse, or covered health care provider). See 45 CFR § 160.103 (definition of “covered entity”). However, while a HIO does not itself have a HIPAA obligation to provide a NPP to individuals, the Privacy Rule permits covered entities that participate in electronic health information exchange with the HIO to provide notice to individuals of the disclosures that will be made to and through the HIO and through the network, as well as how individuals’ health information will be protected by the HIO.

Q: Can a health information organization (HIO) participate as part of an affiliated covered entity?

A HIO generally is not a HIPAA covered entity and the HIPAA Privacy Rule allows only certain legally separate covered entities to designate themselves as a single affiliated covered entity for purposes of complying with the Privacy Rule. Thus, a HIO generally may not participate as part of an affiliated covered entity. See 45 CFR § 164.105(b) for the requirements and conditions regarding affiliated covered entities.

Q: Can a health information organization (HIO) participate as part of an organized health care arrangement (OHCA)?

A HIO, by definition, cannot participate as part of an OHCA because the HIPAA Privacy Rule defines OHCA as an arrangement involving only health care providers or health plans, neither of which a HIO qualifies as. However, a HIO may be a business associate of an OHCA if the HIO performs functions or activities on behalf of the OHCA. See 45 CFR § 160.103 (definitions of “organized health care arrangement” and “business associate”). For example, a hospital and the health care providers with staff privileges at the hospital are an OHCA for purposes of the Privacy Rule. To the extent such an arrangement uses a HIO for electronic health information exchange, the HIO would be a business associate of the OHCA.

Q: Can a health information organization (HIO), as a business associate, exchange protected health information (PHI) with another HIO acting as a business associate?

Yes, so long as the disclosure of PHI is authorized by the HIO’s business associate agreement and the information exchange would be permitted by the HIPAA Privacy Rule. For example, a HIO may disclose, on behalf of a primary care physician, PHI about an individual for treatment purposes in response to a query from another HIO, acting on behalf of a hospital at which the individual is a patient, unless, for instance, the primary care physician has agreed to the patient’s request to restrict such disclosures. Similarly, a HIO that is a business associate of two different covered entities may share PHI it receives from one covered entity with the other covered entity as permitted by the Privacy Rule and its business associate agreement, for example, for treatment purposes, subject to any applicable restrictions.