FAQs Archive

Q: What are a covered entity’s responsibilities to notify others in a network if an amendment to protected health information is made?

Under the HIPAA Privacy Rule , a covered entity must make reasonable efforts to communicate an amendment to others in the network identified by the individual as needing the amendment, as well as generally to other parties that are known to have the information about the individual. It is also the entity’s responsibility to communicate the amendment within a reasonable time-frame. A health information organization (HIO), with the ability to track where information was exchanged in the past, or to otherwise identify where an individual’s information resides on the network, can assist the covered entity, as its business associate, in efficiently disseminating amended information to appropriate recipients throughout the electronic network.

Q: Who is responsible for amendment of protected health information in an electronic health information exchange environment?

The HIPAA Privacy Rule designates a covered entity as the responsible party for acting on an amendment request. However, a health information organization (HIO), acting as a business associate of the covered entity, may be required by its business associate contract to perform certain functions related to amendments, such as informing other participants in the HIO’s health information exchange who are known to have the individual’s information, of the amendment. See 45 CFR § 164.504(e) (2)(i)(F).

Q: To what extent does the HIPAA Privacy Rule allow third parties to access protected health information (PHI) through a health information organization (HIO) for purposes other than treatment, payment, and health care operations?

The Privacy Rule would permit a HIO, acting as a business associate of one or more covered entities, to make any disclosure the covered entities are permitted by the Privacy Rule to make, provided the HIO’s business associate agreement(s) authorizes the disclosure. See 45 CFR § 164.504(e) . For example, the Privacy Rule permits a covered entity to make disclosures of PHI for public health and research purposes, provided certain conditions are met. Such disclosures may be made by a HIO, on behalf of one or more covered entities, provided the covered entities or HIO satisfy all of the Privacy Rule’s applicable conditions, and the business associate agreement(s) with the HIO authorize the HIO to make the disclosure.

Q: May a health information organization (HIO), acting as a business associate of a HIPAA covered entity, de-identify information and then use it for its own purposes?

A HIO, as a business associate, may only use or disclose protected health information ( PHI ) as authorized by its business associate agreement with the covered entity. See 45 CFR § 164.504(e) . The process of de-identifying PHI constitutes a use of PHI. Thus, a HIO may only de-identify PHI it has on behalf of a covered entity to the extent that the business associate agreement authorizes the HIO to do so. However, once PHI is de-identified in accordance with the HIPAA Privacy Rule , it is no longer PHI and, thus, may be used and disclosed by the covered entity or HIO for any purpose (subject to any other applicable laws).