May a HIPAA Notice of Privacy Practices (NPP) specifically mention that protected health information (PHI) will be disclosed to and through a health information organization (HIO)? May the NPP mention that the covered health care provider uses an electronic health record (EHR)?
Yes, covered entities are permitted to include such information in their NPPs. The HIPAA Privacy Rule requires that a covered entity’s NPP describe the types of uses and disclosures of PHI a covered entity is permitted to make. The Rule also requires that a covered entity’s NPP include at least one example of the uses and disclosures the covered entity is permitted to make for treatment, payment, and health care operations purposes. See 45 C.F.R. § 164.520(b). While the Privacy Rule does not require that these examples describe the covered entity’s disclosure of PHI to and through a HIO for treatment and other purposes, or that a covered health care provider uses an EHR, the Privacy Rule does not preclude a covered entity from including in its NPP additional information concerning the covered entity’s participation in these activities. Alternatively, a covered entity may wish to provide the individual with a separate notice of the disclosures that may be made to and through a HIO, and how the individual’s health information will be protected.
Such notice that mentions that PHI will be disclosed to and through a HIO or that the covered health care provider uses an EHR would help facilitate the openness and transparency in electronic health information exchange that is important for building trust and thus, is encouraged. Some individuals also may find the fact that a health care provider participates in electronic health information exchange, or that the provider uses an EHR, to be an important factor that could lead individuals to choose that provider over another. Also, to the extent the individual is provided with certain choices of how or if the individual’s information is to be exchanged through a HIO, notice of the disclosures a covered entity may make to and through a HIO, as well as how the individual’s information will be protected, would be an important element of informing such choices.