Skip Navigation

This document is intended to provide general information to assist in the discussions of the CPS Workgroup. The document may contain general legal information and should not be construed as legal advice to be applied to any factual situation. Neither the CPS Workgroup nor its staff makes any claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained in this document.

Scenario Environment:

The District of Columbia health information exchange HIE-DC is a local health information exchange comprised of 100 providers (primary care, specialists, dentists, etc.), 10 hospitals, 3 insurers, and 2 labs.

Scenario Description:

Each scenario below will start with a short vignette to initiate a type of health information exchange. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule “notes” will accompany each scenario to highlight helpful parts of the Privacy Rule that relate to this exchange environment. Finally, different types of health information exchange will be proposed and a baseline (i.e., the most likely to currently occur) will be identified to serve as a comparative point to determine what, if any, differences exist.

Definitions:

  • “Repository” model electronic health records (EHRs) reside on HIE-DC’s system and are available 24/7.

  • “Non-repository” model EHRs are not held by HIE-DC but are locatable and available 24/7.

Scenario 1 Treatment:

Mr. Gray attends an office party and falls ill several hours later. With his condition worsening his wife brings him to the Capital Hospital emergency room. Capital Hospital needs to obtain Mr. Gray’s medical history.

Privacy Rule Note(s):

  • Minimum necessary applies to Capital Hospital’s uses of information for treatment purposes but does not apply to disclosures for treatment, 164.502(b).

  • While consent for a disclosure for treatment is permitted, 164.506 (b)(1), it is not required, and a covered entity may disclose protected health information (without an individual’s authorization) for the treatment activities of a health care provider, 164.506(c)(2).

  • Any agreed upon restrictions a covered entity does not have to agree to a restriction, 164.522(a)(1)(ii) under 164.522(a)(i)(A) would have to be honored.

    • Except, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, that restricted information may be used or disclosed to treat the individual, 164.522(a)(1)(iii).

    • If restricted protected health information is disclosed for emergency treatment, the covered entity disclosing the information must request that the recipient not further use or disclose the information, 164.522(a)(1)(iv).

Type 1: (Baseline)

Mr. Gray identifies Dr. Smith as his primary care physician.

  • Capital Hospital calls (or faxes) Dr. Smith to request Mr. Gray’s health information.

    • Minimum necessary would not apply to Dr. Smith’s disclosure;

    • Dr. Smith could choose not to disclose Mr. Gray’s information (i.e., deny the request), or he could disclose Mr. Gray’s information (without an authorization);

    • If Dr. Smith had agreed to a restriction, this was an emergency, and the restricted information was needed for Mr. Gray’s treatment, Dr. Smith could disclose the restricted information. Additionally, Dr. Smith must request that Capital Hospital not further use or disclose the information.

Type 2: Capital Hospital uses HIE-DC

Similarities to baseline:

Mr. Gray identifies Dr. Smith as his primary care physician.

  • Capital Hospital (through some algorithm) searches HIE-DC for Mr. Gray and Dr. Smith and locates Mr. Gray’s record.

    • Capital Hospital submits an electronic request to Dr. Smith for Mr. Gray’s record.

      • Minimum necessary would not apply to Dr. Smith’s disclosure;

      • Dr. Smith could choose not to disclose Mr. Gray’s information (i.e., deny the request), or he could disclose Mr. Gray’s information (without an authorization);

      • If Dr. Smith had agreed to a restriction, this was an emergency, and the restricted information was needed for Mr. Gray’s treatment, Dr. Smith could disclose the restricted information. Additionally, Dr. Smith must request that Capital Hospital not further use or disclose the information.

Possible differences from baseline:

  • Independent of Mr. Gray, Capital Hospital now has the means to find out information about him.

  • HIE-DC is a “non-repository” model and Capital Hospital is capable of “pulling” Mr. Gray’s record without Dr. Smith’s knowledge (i.e., he does not play a role in the request).

    • In this situation, it could be assumed that participants in HIE-DC have uniformly agreed that they will share for treatment when no authorization is needed.

    • Should we be concerned about the search results? What if a search is broad enough to show multiple providers that Mr. Gray has gone to and one happens to indicate a mental or behavioral health provider.

    • HIE-DC needs to have a way to handle decisions made in Dr. Smith’s office about who or what to make available to HIE-DC.

      • Restrictions could play a larger role in this environment. They may be easier to implement and be determined by Mr. Gray.

  • HIE-DC is a “repository” model and Capital Hospital has direct access to Mr. Gray’s record(s).

    • Again, in this situation, it could be assumed that participants in HIE-DC have uniformly agreed that they will share for treatment when no authorization is needed.

      • Does HIE-DC combine health information into one “complete/combined” record;

        • Would there be a way to separate out information solely related to treatment (i.e., information from “non-treatment” members of HIE-DC could be included);

        • What if mental or behavioral health information was included in this “combined” record?

  • (*CPS 6/12 Rec) HIE-DC would have to provide for restrictions.

  • What happens if Dr. Smith is not part of HIE-DC?