HHS issues HIPAA guidance on protected health information

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released updated FAQ guidance on individuals’ rights to access their protected health information (PHI) from their healthcare providers and health plans. An additional FAQ was issued on the disclosure of PHI to value-based care arrangements, such as accountable care organizations, without the individual’s authorization.

• FAQ on individuals’ right to access: The HIPAA Privacy Rule gives individuals the right to request and obtain access to their PHI in designated record sets, which are maintained by or for healthcare providers and group health plans (i.e., HIPAA covered entities) to make decisions about individuals. These include medical records, billing records, payment and claims records, health plan enrollment records and case management records. Conversely, individuals do not have a right to access PHI that is not part of a designated record set. This can include certain quality assessment or improvement records; patient safety activity records; or business planning, development and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, individuals would not have the right to access internal memos related to the development of a formulary; however, they would have the right to access information about prescription drugs that were prescribed for them, and claims records related to payment for those drugs, even if that information was relied on in, or helped inform, the development of the formulary.
• FAQ on disclosure of PHI to value-based care arrangements: Under the HIPAA Privacy Rule, a covered entity may disclose an individual’s PHI for its own treatment activities, without the individual’s authorization. It generally allows PHI to be used or disclosed for treatment purposes; this includes disclosures to participants in value-based care arrangements, such as accountable care organizations. The definition of “treatment” incorporates the necessary interaction of more than one entity; therefore, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, when the disclosure is made for the treatment activities of a healthcare provider. For example, a covered healthcare provider may disclose PHI for the treatment activities of another healthcare provider without the individual’s authorization when both providers are treating the individual through a value-based care arrangement (e.g., an accountable care organization).

Employer plan sponsors should confirm that their HIPAA policies and procedures comply with the OCR’s FAQ guidance.