Skip Navigation

Health Information Technology


Is a health information organization (HIO) covered by the HIPAA Privacy Rule?

Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment?

What are some considerations in developing and implementing a business associate agreement with a health information organization (HIO)?

Can a health information organization (HIO), as a business associate, exchange protected health information (PHI) with another HIO acting as a business associate?

Can a health information organization (HIO) participate as part of an organized health care arrangement (OHCA)?

Can a health information organization (HIO) participate as part of an affiliated covered entity?



Correction


Who is responsible for amendment of protected health information in an electronic health information exchange environment?

What are a covered entity’s responsibilities to notify others in a network if an amendment to protected health information is made?



Openness and Transparency

May a HIPAA Notice of Privacy Practices (NPP) specifically mention that protected health information (PHI) will be disclosed to and through a health information organization (HIO)? May the NPP mention that the covered health care provider uses an electronic health record (EHR)?

Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)?

May covered entities that operate in electronic environments provide individuals with their HIPAA Notice of Privacy Practices (NPP) electronically?


Individual Choice

Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?

How do HIPAA authorizations apply to an electronic health information exchange environment?

Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to Opt-In or Opt-Out of electronic health information exchange?

Who has the right to consent or the right to request restrictions with respect to whether a covered entity may electronically exchange a minor’s protected health information to or through a health information organization (HIO)?

Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)?

Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)?

Back to Top


Collection, Use, and Disclosure Limitation


May a covered health care provider disclose electronic protected health information (PHI) through a health information organization (HIO) to another health care provider for treatment?

May a health information organization (HIO) manage a master patient index on behalf of multiple HIPAA covered entities?

What may a HIPAA covered entity’s business associate agreement authorize a health information organization (HIO) to do with electronic protected health information (PHI) it maintains or has access to in the network?

May a health information organization (HIO), acting as a business associate of a HIPAA covered entity, de-identify information and then use it for its own purposes?

How may the HIPAA Privacy Rule’s minimum necessary standard apply to electronic health information exchange through a networked environment?

Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)?

To what extent does the HIPAA Privacy Rule allow third parties to access protected health information (PHI) through a health information organization (HIO) for purposes other than treatment, payment, and health care operations?

Back to Top


Safeguards

Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?

How may the HIPAA Privacy Rule’s requirements for verification of identity and authority be met in an electronic health information exchange environment?

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Does the HIPAA Privacy Rule allow covered entities participating in electronic health information exchange with a health information organization (HIO) to establish a common set of safeguards?

Back to Top
 

Accountability


What is a covered entity's liability under the HIPAA Privacy Rule for sharing data inappropriately to or through a health information organization (HIO) or other electronic health information exchange network?

Does the HIPAA Privacy Rule require a covered entity to “police” a health information organization (HIO), which functions as its business associate?

How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

Who is liable under the HIPAA Privacy Rule where multiple covered entities have signed on to a single business associate agreement and one member breaches the agreement?

Back to Top


Right of Access

In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule?

How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule?

How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?



Back to HIPAA - Frequently Asked Questions