The Office of the National Coordinator for Health IT Technology (ONC) and Office for Civil Rights (OCR) has published a new fact sheet covering some important topics about HIPAA data sharing.
As you may already know, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 places certain restrictions on what information doctors and covered entities can share, and with whom they can share it. Generally speaking, personally identifiable information – Protected Health Information (PHI) – cannot be shared without the patient's permission.
The advent of the Internet and cloud computing, however, has raised some questions regarding HIPAA data sharing. In an effort to shed light on this topic, the ONC and OCR has published a new fact sheet. Among other things, the fact sheet presents nine hypothetical scenarios in which a covered entity may need to share a patient's personal data.
In one of the scenarios presented, a doctor needed to share a patient's personal data because the patient had a disease (medical conditions are considered PHI). When explaining this scenario, the ONC said the hospital may use a certified IT professional to disclose the patient's condition to the CDC. Note: the fact sheet referred to the hospital in this scenario as “Healthy Hospital,” as described in the excerpt below.
“Healthy Hospital may use health IT certified by the ONC Health IT Certification program (certified health IT) to disclose PHI to the CDC in response to the request and may reasonably rely on CDC’s request as to the PHI needed,” wrote the ONC in the new fact sheet. “Healthy Hospital must meet the requirements of the HIPAA Security Rule if providing electronic PHI to CDC.”
The ONC's fact sheet goes on to explain that data may be subject to the Food and Drug Administration's jurisdiction as well. How does the FDA govern medical data? Well, medical devices fall under the FDA's jurisdiction. This is particularly significant given the increasing usage of mobile health devices in the medical field. Doctors, physicians and hospitals are all using medical devices to improve their treatment options for patients. And these devices are governed by the FDA, so it's important to follow their regulations.
Don't wait until you receive an audit notice to ensure your practice is compliant with HIPAA. Take the necessary measures now; otherwise, you could face hefty fines and corrective actions if you are targeted.