Myths in healthcare knowledge sharing usually cloud understanding of permissible practices, however this hesitation normally stems from threat aversion fairly than authorized constraints. HIPAA (Well being Insurance coverage Portability and Accountability Act) acts as a sentinel guarding the safety and privateness of affected person knowledge, however its limitations in supporting as we speak’s info sharing wants should be acknowledged.

As “healthcare” evolves past medical care, clear steering is essential to make sure that HIPAA’s safeguards align with trendy realities and, extra importantly, that suppliers perceive the fundamentals. A few of these realities embrace a rising variety of states enacting new Medicaid waivers to deal with health-related social wants and state initiatives that speed up knowledge sharing not solely amongst suppliers, but in addition with community-based organizations (CBOs) and social service organizations (SSOs). Regardless of HIPAA’s capability to reveal protected well being info (PHI) to those non-covered entities, there may be appreciable hesitation to share with out particular person consent.

Take California’s Information Change Framework (DxF), for instance. A visionary transfer put in place by state regulation to attain statewide knowledge sharing in California, the DxF mandates the change of well being and social service info amongst collaborating entities. Amid this mandate, questions stay about how PHI may be shared with entities not coated by HIPAA.

Beneath are some widespread misconceptions about knowledge sharing relating to entities which might be and usually are not coated by HIPAA:

Fantasy #1: Any group can violate HIPAA

HIPAA regulates coated entities to make sure the safety of knowledge and to supervise its correct sharing. Non-covered entities usually are not topic to HIPAA necessities and due to this fact can’t technically violate them. Nonetheless, they might be required to adjust to sure HIPAA provisions, such because the Safety Rule and Breach Notification Rule, and should have further obligations underneath state regulation or contractual necessities.

Fantasy #2: PHI ought to by no means be shared with non-covered entities

A coated entity could share PHI with a non-covered entity as permitted by HIPAA, which specifies permitted makes use of. For instance, a treating supplier could share related PHI with an SSO or a CBO, supplied the group is offering a treatment-related service to the affected person.

Fantasy #3: PHI can’t be shared with non-covered entities for care coordination and case administration functions

HIPAA permits the sharing of PHI with CBOs and SSOs for care coordination and case administration. For instance, a well being care supplier could share a affected person's PHI if the affected person has a necessity for supportive housing for psychological well being with an company that arranges for such companies; or they might share the person's info with a senior middle or grownup day care to rearrange for vital well being companies, equivalent to dwelling well being care.

Fantasy #4: Written consent is required to share PHI with third events for care coordination or remedy functions

Below HIPAA, well being care suppliers could share PHI with third events, equivalent to CBOs and SSOs, for remedy functions with out requiring particular person consent, in step with OCR tips. For instance, a coated well being care supplier could disclose PHI to a senior dwelling middle or grownup day care to coordinate vital health-related companies for a person, equivalent to arranging for a house well being aide to help an older grownup with their prescribed remedy protocol after discharge. Nonetheless, if they’ve obtained the affected person’s consent to share, PHI could also be shared extra broadly with the CBOs and SSOs which might be included in that consent.

Fantasy #5: Lined entities are accountable for what the receiving social gathering does with the PHI

The coated entity is solely accountable for complying with HIPAA when disclosing PHI to CBOs or SSOs in a permissible and safe method. Because of this the disclosure is for a permissible function and the PHI is transmitted securely to the suitable recipient. Nonetheless, the coated entity will not be liable underneath HIPAA for the actions of the CBO or SSO after they’ve disclosed the knowledge for a authentic cause and in a safe method.

A coordinated well being and social companies system requires readability and training to make sure the bigger imaginative and prescient of knowledge sharing is achieved: bettering affected person well being and well-being. As knowledge sharing turns into more and more essential to assist trendy well being care practices with new partnerships and collaboration throughout sectors, updates to related state and federal privateness rules and tips – together with the HIPAA Privateness Rule – should clearly articulate the newest requirements to ease issues for even essentially the most risk-averse organizations.

About Timi Leslie

Timi Leslie leads Connecting for Higher Well being, a coalition devoted to bettering the infrastructure for knowledge sharing with the aim of reworking well being and social outcomes. She can be president of consulting agency BluePath Well being and has greater than 30 years of expertise in healthcare. She advises organizations on enterprise technique, expertise innovation, associate relationships, product administration, and techniques implementation.