To what extent does the HIPAA Privacy Rule allow third parties to access protected health information (PHI) through a health information organization (HIO) for purposes other than treatment, payment, and health care operations?

The Privacy Rule would permit a HIO, acting as a business associate of one or more covered entities, to make any disclosure the covered entities are permitted by the Privacy Rule to make, provided the HIO’s business associate agreement(s) authorizes the disclosure. See 45 C.F.R. § 164.504(e). For example, the Privacy Rule permits a covered entity to make disclosures of PHI for public health and research purposes, provided certain conditions are met. Such disclosures may be made by a HIO, on behalf of one or more covered entities, provided the covered entities or HIO satisfy all of the Privacy Rule’s applicable conditions, and the business associate agreement(s) with the HIO authorize the HIO to make the disclosure.

Created 12/15/08