The (Largely) Unknown HIPAA Privacy Rule Provision that Speeds Access to Social Services
October 6, 2021
Overview
Often a patient wants a health care provider to share their Protected Health Information (PHI) with a social service organization (SSO) for support they are receiving that directly or indirectly relates to their health. The provider’s efforts to obtain the patient’s written authorization to release that PHI often delays the support they need from the SSO. That delay is compounded when the patient has no option but to physically go to the provider’s office to sign the authorization, a challenge or even an impossibility for individuals without transportation or who are short on resources. The paperwork needed to obtain patient authorization also takes precious clinical time from healthcare providers and their staff.
What is not widely recognized, despite being allowed under HIPAA, is that sharing PHI for care coordination purposes does not require written authorization under the HIPAA Privacy Rule. In fact, the Office for Civil Rights (OCR) released guidance in 2018 that specifically allows the data to be shared:
A health care provider may disclose a patient’s PHI for treatment purposes without having to obtain the authorization of the individual. Treatment includes the coordination or management of health care by a health care provider with a third party. Health care means care, services, or supplies related to the health of an individual. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, the individual’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a service agency that arranges such services for individuals. (emphasis added)
It is already widely known among providers that HIPAA covered entities do not need to obtain written patient authorization to release a patient’s PHI for treatment, payment, or operations purposes. What more people throughout the healthcare and social service communities need to know is that a provider’s coordination or management with an SSO for issues related to the individual’s health, directly or indirectly, is explicitly included in the HIPAA definition of treatment. As a result, a Federally Qualified Health Center’s nurse practitioner or a hospital’s case manager can share PHI with the patient’s care coordinator at a homeless shelter or her case manager at Meals On Wheels without needing the patient’s written consent. However, it’s important to note that ensuring that a patient’s informed consent has been given is good practice and ethically sound.
Because the OCR continued to hear, despite its guidance, that many covered entities will only make PHI disclosures to social service agencies and community-based organizations after obtaining written authorization from the individual, it proposed adding clarifying language to the HIPAA Privacy Rule in its January 21, 2021, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement. (See page 6475.) OCR has proposed to amend 45 CFR 164.506, “Uses and disclosures to carry out treatment, payment, or health care operations,” by adding a new subsection 164.506(c)(6) which would read,
(6) A covered entity may disclose an individual’s protected health information to a social services agency, community-based organization, home and community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities (whether such activities constitute treatment or health care operations as those terms are defined in § 164.501) with respect to that individual.
Even before the proposed modification is considered, since the current Privacy Rule does not require written authorization for care coordination purposes, covered entities and SSOs may want to evaluate the reason(s) they entered into any Business Associate Agreements (BAA) they have with each other. If a covered entity has a BAA with an SSO based on a contractual relationship where the SSO provides a service to patients on behalf of the treating provider, a BAA is required. However, if the sole purpose of the BAA as written was to share PHI with SSOs to aid the individual in obtaining the SSO’s services tied to their health there, a BAA between the covered entity and SSO would not be required.
Network law and policy experts are available to answer these and other questions regarding HIPAA and privacy at no charge. You can request assistance here or contact Chris Alibrandi directly.
This post written by Chris Alibrandi, JD, Senior Staff Attorney, Network for Public Health Law – Mid-States Region Office.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.