Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations,¹ for treatment purposes without the individual’s authorization?

Yes, the Privacy Rule permits a covered entity² to disclose protected health information³ (PHI) for the treatment activities of a health care provider, without an individual’s authorization.⁴ The Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes.⁵ This includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations.

The Privacy Rule defines “treatment” as “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”⁶ Thus, the definition incorporates the necessary interaction of more than one entity.⁷ As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.⁸

Examples:

• A covered health care provider may disclose PHI for the treatment activities of another health care provider without the individual’s authorization where both providers are treating the individual through a value-based care arrangement (e.g., an accountable care organization).
• A health plan may disclose PHI to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.

While the Privacy Rule generally does not require a covered entity to obtain an individual’s authorization⁹ to use or disclose their PHI for treatment, it does permit them to obtain the individual’s consent for such purposes.¹⁰ For information about the difference between “consent” and “authorization” under the Privacy Rule, please visit OCR’s HIPAA for Professionals FAQ.

Endotes

¹  Accountable Care Organization (ACO) is a legal entity that is recognized and authorized under applicable State, Federal, or Tribal law, is identified by a Taxpayer Identification Number (TIN), and is formed by one or more ACO participants(s) that is(are) defined at 42 CFR 425.102(a) and may also include any other ACO participants described at 42 CFR 425.102(b). 42 CFR 425.20 (definition of “Accountable care organization”).

²  45 CFR 160.103 (definition of “Covered entity”).

³  45 CFR 160.103 (definition of “Protected health information”).

⁴  45 CFR 164.506(c)(2).

⁵  67 FR 53182, 53214 (August 14, 2002).

⁶  45 CFR 164.501 (definition of “Treatment”).

⁷  67 FR 53182, 53214 (August 14, 2002).

⁸  Id.

⁹  45 CFR 164.508.

¹⁰  45 CFR 506(b).