HIPAA’s Treatment Exception Permits Sharing with Certain Non-Healthcare Providers

Written in collaboration with Erin MacLean, JD, CHC, CHPC

Over the past several weeks, many have been focused on the proposed changes to the HIPAA Privacy Rule announced in mid-December.  While the proposed changes warrant attention and comment, the commentary to those proposed changes from the Department of Health and Human Services’ Office for Civil Rights (OCR) must not be overlooked.  In its commentary, OCR provides valuable insights on its interpretation of a provider’s ability to disclose information to third parties under HIPAA’s current treatment exception, including a provider’s ability to share protected health information (PHI) with non-healthcare providers without an authorization. 

One major focus of the proposed changes to HIPAA focuses on enhanced information sharing for the coordination of care and case management.  In explaining the importance of sharing information when necessary to coordinate care and manage treatment of patients with third parties involved in an individual’s care, OCR clarifies that the current HIPAA rules allow a treating provider to share relevant PHI with a social service agency or a community-based organization that is not a treating healthcare provider, so long as that organization provides a treatment-related service to the patient.

More details on OCR’s interpretation below, but first, some context is helpful.

Under HIPAA, PHI may be disclosed by a provider to a third-party, without a patient’s authorization, for treatment, payment, and healthcare operations purposes.  The treatment aspect of this exception has long been understood to permit healthcare providers to share PHI only with other treating healthcare providers.  Both healthcare providers and lawyers likely adopted this conservative interpretation of the treatment exception to ensure that no one ran afoul of HIPAA’s Privacy Rule.  As a result, treating providers typically will only share PHI with a community organization like a housing provider, a senior center, or a food delivery service when it has a written authorization from the patient to do so.   

We now know with confidence that OCR considers such sharing, under certain circumstances, to fall within the Privacy Rule’s treatment exception.  The OCR has clarified important differences between sharing PHI with another treating provider and sharing with a social service or community-based organization. 

First, unlike making disclosures to other health care providers for treatment purposes, sharing with a social service or community organization providing treatment-related services, is subject to HIPAA’s minimum necessary rule.  In other words, any sharing with such organizations needs to be limited to the least amount of information necessary for that organization to provide its treatment-related service.

Second, the social service or community organization must be providing a service that is related to the patient’s broader treatment plan or is tied to coordination of care or case management.  As a result, a best practice would be for the treating provider to document the treatment-related need for the service in the patient’s record.  Further, it is important to remember that if the patient rejects the recommended treatment-related service, that rejection likely also flows to the sharing of any PHI with the organization offering those services.

There’s a lot to unpack here, including how this clarification from OCR impacts things like disclosures of COVID-19 test results or vaccination history as well as many other such issues.  Erin MacLean, JD, CHC, CHPC, of Comply In Stride, Inc., and I will tackle those in a webinar on March 2, 2021 at 2 pm EST.  We will provide some examples and best practice tips with a focus on smaller providers, FQHCs and other providers that work with community-based organizations.

We will also address another important aspect of the treatment exception in light of the Office of National Coordinator’s (ONC) recent Information Blocking Final Rules, which take effect on April 5, 2021.  Those rules prohibit health care providers from engaging in certain practices that would restrict authorized access, exchange, or use of electronic health information with other health care providers, when the health care provider is permitted to disclose the information under the Privacy Rule.  In other words, in a few months, unless certain exceptions apply, HIPAA’s permissible sharing standard will shift to a required sharing standard under the Information Blocking Rules.  More on that during our webinar as well.

Webinar Information (registration link below):

HIPAA Updates on Disclosures to Coordinate Care During COVID-19 and Beyond:  Testing, Vaccines and More

While we have long understood HIPAA’s treatment exception to allow one healthcare provider to disclose PHI to another for treatment purposes without an authorization from the patient, recent developments have transformed how we apply this exception.  First, under the new information blocking rules, when a treating provider seeks electronic records from another provider, after April 5, 2021, the disclosure is no longer permitted; it’s required.  Second, the commentary to the proposed changes to HIPAA’s Privacy Rule shed light on how, under the current rules, treating providers can share PHI with social service agencies and community organizations without an authorization from the patient when the disclosure is necessary for access to services related to the health and treatment of the patient.  In this session, with a focus on small providers, FQHCs and rural clinics, we will:

•             Discuss the new information blocking regulations and how they change provider obligations in responding to requests for information from other treating providers;

•             Explore the existing treatment exception under HIPAA and OCR’s interpretation that permits broader sharing with non-healthcare providers;

•             Provide examples of the types of non-healthcare agencies and organizations and the circumstances under which they may receive PHI without an authorization;

•             Focus on COVID-19 related information sharing, especially test results and vaccination history with such agencies and organization, such as homeless shelters, housing agencies, etc.

•             Offer best practice suggestions for ensuring compliance and sample policies.

Presenters: Dena M. Castricone, JD, CIPP/US, CIPM and Erin MacLean, JD, CHC, CHPC

Host: HIPAAtrek

Click here to register!