HIPAA & Modern Healthcare Realities: Dispelling Data Sharing Myths

Timi Leslie, President, BluePath Health and Exec Director of the Connecting for Better Health Coalition

Myths in healthcare data sharing often cloud the understanding of permissible practices, but this hesitance usually stems from risk avoidance rather than regulatory constraints. HIPAA (Health Insurance Portability and Accountability Act) stands as a sentinel, guarding the security and privacy of patient information, but its limitations in supporting contemporary information-sharing needs must be acknowledged. 

As “health care” continues to evolve beyond just medical care, clear guidance is critical to ensure that HIPAA’s safeguards align with modern realities and, even more importantly, that providers understand the basic fundamentals. Some of these realities include a growing number of states undergoing new Medicaid waivers to address health-related social needs and state initiatives accelerating data sharing not only between healthcare providers, but also with community-based organizations (CBOs) and social services organizations (SSOs). Despite HIPAA allowing disclosures of protected health information (PHI) to these non-covered entities, there is great hesitation to share without individual authorization. 

Take California’s Data Exchange Framework (DxF) for example. A visionary move established by state law to achieve statewide data sharing in California, the DxF mandates the exchange of health and social service information among participating entities. Amid this mandate,  questions remain around how to share PHI with entities not covered under HIPAA.

Here are a few common misconceptions about data exchange as it relates to HIPAA-covered entities and non-covered entities: 

Myth #1: Any organization can violate HIPAA

HIPAA regulates covered entities to ensure the protection of data and to oversee its proper sharing. Non-covered entities are not subject to HIPAA requirements, and therefore cannot technically violate them. However, they may be required to comply with certain HIPAA provisions, like the Security Rule and Breach Notification Rule, and may have additional obligations under state law or contractual requirements.

Myth #2: PHI may never be shared with non-covered entities

A covered entity may share PHI with a non-covered entity as allowed by the HIPAA, which specifies the permitted uses. For instance, a treating provider may share relevant PHI with a SSO or a CBO, provided that the organization offers a treatment-related service to the patient.

Myth #3: PHI cannot be shared with non-covered entities for care coordination and case management purposes

HIPAA permits the sharing of PHI with CBOs and SSOs for care coordination and case management. For instance, a health care provider can share a patient’s PHI if they are in need of mental health supportive housing to an agency arranging such services; or they can share the individual’s information with a senior center or adult day care provider to arrange necessary health services like home aides. 

Myth #4: Written authorization is required to share PHI with third parties for care coordination or treatment purposes

Under HIPAA, health care providers can share PHI with third parties, like CBOs and SSOs, for treatment purposes without requiring individual authorization, as per OCR guidance. For example, a covered health care provider may disclose PHI to a senior center or adult day care provider to help coordinate necessary health-related services for an individual, such as arranging for a home aide to help an older adult with their prescribed post-discharge treatment protocol. However, if they did obtain patient consent to share, PHI can be shared more broadly with the CBOs and SSOs that are included on that authorization. 

Myth #5: Covered entities are responsible for what the receiving party does with the PHI

The covered entity is responsible solely for complying with HIPAA when disclosing PHI to CBOs or SSOs in a permitted and secure manner. This involves ensuring that the disclosure serves a permitted purpose and securely sending the PHI to the correct recipient. However, the covered entity is not accountable under HIPAA for the actions of the CBO or SSO after they disclose the information for a legitimate reason and in a secure manner.

A coordinated health care and social service delivery system requires clarity and education to ensure that the greater vision of data sharing is achieved: improving patient health and well-being. As data sharing becomes more integral to support modern health care practices with new partnerships and cross-sector collaboration, state and federal updates to relevant privacy regulation and guidance – including the HIPAA Privacy Rule – should clearly state the latest standards to ease concerns among even the most risk-averse organizations.


About Timi Leslie

Timi Leslie leads Connecting for Better Health, a coalition that strives to improve data-sharing infrastructure with a goal of transforming health and social outcomes. She is also president of consulting firm BluePath Health and has over 30 years of experience in the healthcare industry.She advises organizations on business strategy, technology innovation, partner relations, product management and system implementation.