Myths in healthcare knowledge sharing usually cloud the understanding of permissible practices, however this hesitance normally stems from threat avoidance somewhat than regulatory constraints. HIPAA (Well being Insurance coverage Portability and Accountability Act) stands as a sentinel, guarding the safety and privateness of affected person data, however its limitations in supporting up to date information-sharing wants have to be acknowledged.
As “well being care” continues to evolve past simply medical care, clear steering is vital to make sure that HIPAA’s safeguards align with trendy realities and, much more importantly, that suppliers perceive the essential fundamentals. A few of these realities embody a rising variety of states present process new Medicaid waivers to handle health-related social wants and state initiatives accelerating knowledge sharing not solely between healthcare suppliers, but in addition with community-based organizations (CBOs) and social providers organizations (SSOs). Regardless of HIPAA permitting disclosures of protected well being data (PHI) to those non-covered entities, there may be nice hesitation to share with out particular person authorization.
Take California’s Knowledge Trade Framework (DxF) for instance. A visionary transfer established by state legislation to attain statewide knowledge sharing in California, the DxF mandates the trade of well being and social service data amongst collaborating entities. Amid this mandate, questions stay round find out how to share PHI with entities not lined underneath HIPAA.
Listed below are a number of widespread misconceptions about knowledge trade because it pertains to HIPAA-covered entities and non-covered entities:
Fable #1: Any group can violate HIPAA
HIPAA regulates lined entities to make sure the safety of information and to supervise its correct sharing. Non-covered entities usually are not topic to HIPAA necessities, and subsequently can’t technically violate them. Nevertheless, they could be required to adjust to sure HIPAA provisions, just like the Security Rule and Breach Notification Rule, and will have extra obligations underneath state legislation or contractual necessities.
Fable #2: PHI could by no means be shared with non-covered entities
A lined entity could share PHI with a non-covered entity as allowed by the HIPAA, which specifies the permitted makes use of. For example, a treating supplier could share related PHI with a SSO or a CBO, offered that the group presents a treatment-related service to the affected person.
Fable #3: PHI can’t be shared with non-covered entities for care coordination and case administration functions
HIPAA permits the sharing of PHI with CBOs and SSOs for care coordination and case administration. For example, a well being care supplier can share a affected person’s PHI if they’re in want of psychological well being supportive housing to an company arranging such providers; or they’ll share the person’s data with a senior middle or grownup day care supplier to rearrange needed well being providers like residence aides.
Fable #4: Written authorization is required to share PHI with third events for care coordination or remedy functions
Beneath HIPAA, well being care suppliers can share PHI with third events, like CBOs and SSOs, for remedy functions with out requiring particular person authorization, as per OCR guidance. For instance, a lined well being care supplier could disclose PHI to a senior middle or grownup day care supplier to assist coordinate needed health-related providers for a person, akin to arranging for a house aide to assist an older grownup with their prescribed post-discharge remedy protocol. Nevertheless, in the event that they did get hold of affected person consent to share, PHI will be shared extra broadly with the CBOs and SSOs which might be included on that authorization.
Fable #5: Lined entities are liable for what the receiving social gathering does with the PHI
The lined entity is accountable solely for complying with HIPAA when disclosing PHI to CBOs or SSOs in a permitted and safe method. This entails guaranteeing that the disclosure serves a permitted objective and securely sending the PHI to the right recipient. Nevertheless, the lined entity shouldn’t be accountable underneath HIPAA for the actions of the CBO or SSO after they disclose the data for a professional purpose and in a safe method.
A coordinated well being care and social service supply system requires readability and schooling to make sure that the higher imaginative and prescient of information sharing is achieved: enhancing affected person well being and well-being. As knowledge sharing turns into extra integral to assist trendy well being care practices with new partnerships and cross-sector collaboration, state and federal updates to related privateness regulation and steering – together with the HIPAA Privateness Rule – ought to clearly state the newest requirements to ease issues amongst even probably the most risk-averse organizations.
About Timi Leslie
Timi Leslie leads Connecting for Higher Well being, a coalition that strives to enhance data-sharing infrastructure with a objective of remodeling well being and social outcomes. She can be president of consulting agency BluePath Well being and has over 30 years of expertise within the healthcare trade.She advises organizations on enterprise technique, expertise innovation, companion relations, product administration and system implementation.
