Physicians get new clarification on HIPAA’s privacy rule
Although the Health Insurance Portability and Accountability Act (HIPAA) has been law for well over a decade, there is still confusion surrounding some of the regulations contained in it. The privacy rule, for example, can be difficult to navigate.
Recently, the U.S. Department of Health and Human Services (HHS), the Office of the National Coordinator for Health IT (ONC) and the Office of Civil Rights (OCR), collaborated to release a series of fact sheets to help healthcare providers and others bound by HIPAA to understand when personal health information (PHI) can be shared without the patient’s authorization, which is one of the most frequently misunderstood parts of the privacy rule.
Two of the fact sheets are Permitted Uses and Disclosures: Healthcare Operations and Permitted Uses and Disclosures: Exchange for Treatment. The two documents offer concrete examples of specific situations that could cause confusion for covered entities in the areas of operations and coordination of treatment. Jeff Drummond, an attorney with Jackson Walker, LLP, in Dallas, Texas, says the main reason people have difficulty with HIPAA is that they don’t understand how the law is structured.
“People have a hard time putting HIPAA together with their day-to-day lives,” says Drummond, adding that the fact sheets are geared to help bridge that gap with real-world examples for physicians.
In the operations fact sheet, HHS discusses the kinds of exceptions that make patient authorization unnecessary: improving the quality of care, developing guidelines or protocols, coordinating care, reviewing the qualifications of healthcare providers or conducting training, among several others. “Sharing information in order to develop clinical pathways is useful and very important, and we have to have some level of information sharing,” says Drummond of the exceptions.