Lucia Savage, chief privacy officer in the Office of the National Coordinator for Health IT, is fighting to dispel a widespread and persistent misconception in the healthcare industry: that HIPAA makes it difficult, if not impossible, to move electronic health data for patient care.

A lawyer by training, Savage joined ONC in October 2014 determined to set the record straight on the federal law. According to Savage, some healthcare providers are not sharing protected health information because of their organization’s policies, procedures or protocols—even if such data exchange is permitted under HIPAA. In fact, providers often will not share PHI with each other or payers without written patient consent.

Lucia Savage
Lucia Savage

“It’s acutely frustrating because I know better,” says Savage, who came to ONC from the payer side, serving as senior associate general counsel at UnitedHealthcare, where she supervised a team representing the payer in its work in large data transactions related to health information exchanges, healthcare transparency projects and other data-driven healthcare projects.

Savage makes the case that HIPAA provides many pathways for permissibly exchanging PHI. To help dispel some of the myths around HIPAA which make it difficult to move electronic health data between providers and to patients, ONC and the HHS Office for Civil Rights issued guidance in February on permitted uses and disclosures for both exchange for healthcare operations and exchange for treatment.

Greg Slabodkin, managing editor of Health Data Management, spoke with Savage about what data exchange is and is not permissible under the law.

Do healthcare providers use HIPAA as an excuse for not sharing electronic health information with both patients and other providers?

It’s definitely stated as the rationale. If you dig a little deeper, what we don’t know is whether that’s because people are genuinely trying to protect individuals’ privacy and just misunderstand the rules, or if privacy practices are being used for other reasons, such as business practices and organizations don’t want to share information. We highlighted this in our information blocking report to Congress last year.

This is based on real anecdotes that come to our attention and based on our experience in the questions that we get in the field. There are sometimes very important reasons to keep information private, but there are also some extremely important reasons to share it, and sharing is permitted under HIPAA in the right circumstances.

What are HIPAA-permitted uses and disclosures?

HIPAA is designed in a very clever way. The Privacy Rule applies the same to information whether it’s electronic or on paper. So, the rules that tells stakeholders how to access, use or disclose protected health information are the same.

There are a number of circumstances in which data that is considered PHI can move around within the system automatically so that the system keeps functioning. Those circumstances are data exchange for payment, treatment and healthcare operations. In the case of treatment, physicians can trade data with each other for patients they share in common.

Is it permitted to use and disclose PHI without first obtaining written authorization from a patient?

Under certain circumstances, yes, and we’ve tried to illustrate those in both our healthcare operations and treatment fact sheets. However, the facts and circumstances have to fit within those permissions in the regulations. We’ve explained what is permitted by law, at least under federal rules.

Many states have their own laws and regulations to protect the privacy of health information that apply in addition to HIPAA privacy protections and requirements on use and disclosure. Are these laws that vary from state to state part of the problem?

At the very least, the state laws—because of their diversity—are impeding our ability to make this whole process of collecting and documenting consent able to be executed by computers. Because now you have to have a computer and programmer understand the law in each of however many states there are—and, there’s a wide variation. But, in addition to that, the stakeholders themselves remain confused.

We are not in any position to tell states what to do—and, we would never try to do that. It’s about our trying to be helpful to states as they try to improve interoperability and patient health.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access