skip to main content

January 30, 2017

By: Stephanie T. Eckerle

The U.S. Department of Health and Human Services Office of Civil Rights and The Office of the National Coordinator for Health Information Technology recently published a new fact sheet entitled “Permitted Uses and Disclosures: Exchange for Health Oversight Activities.”  This fact sheet provides guidance to covered entities and business associates about their ability to provide PHI to a health oversight agency for oversight activities authorized by law, such as inspections, audits or licensure or disciplinary actions. 

The fact sheet is helpful in that it provides practical pointers for steps a covered entity can take to ensure it is complying with the rules on disclosing PHI for health oversight activities.  For example, the fact sheet states that “Uses and disclosures for health care oversight activities also must comply with the minimum necessary provisions of the Privacy Rule (45 CFR 164.514). The discloser is permitted to reasonably rely on the health oversight agency’s description of what the agency believes is necessary for its oversight purposes.”  Fact Sheet, pg. 2. The fact sheet further advises that covered entities may verify that the governmental entity requesting the information is a health oversight agency by requesting a letter with the agency’s identity and authority.  Fact Sheet, pg. 3.

OCR and ONC also provide examples of when a covered entity may disclose PHI for health oversight activities.  These examples include the following scenarios:

  • Disclosure of PHI by a company health plan to a health insurance commissioner that oversees employer-sponsored group health plans.
  • Disclosure of PHI by a physician to a state medical licensing board investigating the physician’s compliance with state licensing requirements.
  • Disclosure of PHI by a nursing home to a Medicaid fraud control unit investigating provider compliance with Medicaid requirements.
  • Disclosure of PHI by a hospital to the FDA to determine if medical devices are harmful to patients.
  • Disclosure of PHI by a health insurance company to a department of insurance to determine compliance with certain civil rights laws.

Any time that a covered entity or business associate receives a request for PHI for health oversight activities, the determination of whether the PHI can be disclosed without a release from the patient is a fact-specific analysis.  Once it is determined that a release of the PHI is appropriate, the fact sheet clarifies that covered entities may use certified electronic health record technology or other electronic means for such disclosure of ePHI so long as such technology and disclosure complies with the HIPAA Security Rule.  The Fact Sheet can be found at here.

Please contact Stephanie T. Eckerle if you have any questions or would like to discuss this matter.