As more health care entities implement population health and care coordination initiatives, questions arise concerning the application of the Health Insurance Portability and Accountability Act and its regulations (collectively, HIPAA) to such efforts. Although HIPAA applies to protected health information (PHI) used and shared by covered entities (CEs) in connection with population health activities, in many circumstances HIPAA permits the use and sharing of such PHI without patient authorization or business associate agreements.
Is there a need for patient authorization in population health activities?
Generally, the Privacy Rule permits CEs to use and disclose PHI for treatment, payment and health care operations. Common population health activities which qualify as health care operations under HIPAA include, but are not limited to, the following:
- Conducting quality assessment and improvement activities;
- Population-based activities relating to improving health or reducing health care costs;
- Case management and care coordination; and
- Evaluating provider and health plan performance.
When a CE uses or discloses PHI to perform one of the foregoing activities for its own health care operations, a patient authorization is not necessary under HIPAA. Additionally, HIPAA allows a CE to disclose PHI to another CE (and its business associates) without a patient authorization for such other CE’s health care operations if the following three requirements are met:
- Both CEs must have or have had a relationship with the patient;
- The PHI must concern that relationship; and
- The disclosing CE must disclose only the minimum PHI necessary for the recipient CE’s particular health care operations activity.
Further, HIPAA also permits the sharing of data among CEs participating in an organized health care arrangement (OHCA). Specifically, HIPAA permits CEs to disclose PHI about an individual to other participants of the OHCA for any joint health care operations activities of the OHCA without patient authorization. OHCAs include integrated care settings where individuals receive health care from more than one provider, organized systems of health care where multiple CEs participate together in certain activities and some group health plans or issuers of health insurance.
Is there a need for a BAA in population health activities?
For individual CEs, HIPAA does not always require the execution of a business associate agreement before entities are permitted to share data with one another.
For example, if a health plan hires a health care management company to provide resources to certain plan members with chronic health conditions, a business associate agreement is only required between the health plan and the management company. The physicians serving plan members can make permissible disclosures directly to the health management company without the need to execute a business associate agreement with the company, so long as the health management company does not provide other services directly to the physicians.
CEs participating in OHCAs, on the other hand, are explicitly excluded from the definition of business associates. Therefore, CEs participating in the OHCA may share PHI for the joint health care operations activities of the OHCA without entering into business associate agreements with each other.
Thus, health care providers and health plans should not let misconceptions about HIPAA keep them from pursuing more opportunities related to population health and care coordination. This blog post contains general information about how HIPAA relates to these topics, and your specific program may require other considerations. If you have any questions regarding HIPAA or population health and care coordination, please contact the authors of this blog.
Tonya Oliver Rose is a member of Thompson Coburn’s Health Care group.