Understanding Some of HIPAA’s Permitted Uses and Disclosures

Information is essential fuel for the engine of health care.  Physicians, medical professionals, hospitals and other clinical institutions generate, use and share it to provide good care to individuals, to evaluate the quality of care they are providing, and to assure they receive proper payment from health plans.  Health plans generate, use and share it to pay for care, to assure care for their members is well coordinated and that populations of individuals with chronic conditions are receiving appropriate care.   The capability for relevant players in the health care system – including the patient – to be able to quickly and easily access needed information to make decisions, and to provide the right care at the right time, is fundamental to achieving the goals of health reform.

The Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were intended to support information sharing by providing assurance to the public that sensitive health data would be maintained securely and shared only for appropriate purposes or with express authorization of the individual.   For more than a decade, the HIPAA regulations have provided a strong privacy and security foundation for the health care system. 

Although the regulations have been in effect for quite some time, health care providers frequently still question whether the sharing of health information, even for routine purposes like treatment or care coordination, is permissible under HIPAA.  Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information.   

To address this confusion, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) have worked collaboratively to develop a series of topical fact sheets on HIPAA Permitted Uses and Disclosures that provide examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient, so long as other protections or conditions are met. 

One fact sheet addresses Permitted Uses and Disclosures for Health Care Operations, and clarifies that an entity covered by HIPAA (“covered entity”), such as a physician or hospital, can disclose identifiable health information (referred to in HIPAA as protected health information or PHI) to another covered entity (or a contractor (i.e., “business associate”) working for that covered entity), for activities that fall within HIPAA’s definition of “health care operations.”  The fact sheet includes illustrations of how HIPAA supports sharing of PHI by providers to enable case management by a health plan; for quality assessment and/or quality improvement; and for population health.  The other fact sheet, Permitted Uses and Disclosures: Exchange for Treatment, illustrates how HIPAA supports sharing of PHI between and among health care providers in order to treat or coordinate care for their patients. 

Both fact sheets also provide information on what health care providers should do to help assure that sharing PHI for either treatment or operations is in compliance with the HIPAA Privacy and Security Rules. 

As a reminder, permitted uses and disclosures must be addressed in a covered entity’s Notice of Privacy Practices.  HHS offers model notices of privacy practices for both health care providers and health plans.  These model notices are available for free download, in English and in Spanish, at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices

It is our hope that the fact sheets will be helpful tools that help clarify HIPAA and support the goals of interoperability of health information. 

Read the fact sheets

• Permitted Uses and Disclosures for Health Care Operations (PDF)
• Permitted Uses and Disclosures: Exchange for Treatment (PDF)