The Real HIPAA

healthitgovnew-200Quality Assessment/Quality Improvement and Population-Based Activities Examples

By Lucia Savage, J.D./Chief Privacy Officer, and
Aja Brooks, J.D./Privacy Analyst

Welcome to the fourth and final blog post in our series on how HIPAA supports interoperability. In the previous installments, we provided practical examples and illustrations that show how Health Care Operations Permitted Uses and Disclosures apply to covered entities. In this post, we pick up where we left off and provide examples of how HIPAA supports exchange of electronic health information for Quality Assessment/Quality Improvement and Population-Based Activities. As before, more detail is available in the new ONC fact sheets on HIPAA Permitted Uses and Disclosures for exchange (Treatment and Health Care Operations), developed in conjunction with the Office for Civil Rights.

Example 4: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(5)
Providers participating in the ACO/OHCA may permit the ACO quality committee to access the Protected Health Information (PHI) needed for the quality assessment.An Accountable Care Organization (ACO) that consists of multiple providers operating as an Organized Health Care Arrangement (OHCA) has a quality committee made up of professionals from within the ACO. In order to improve patient health and meet Medicare’s quality improvement requirements, the quality committee plans to obtain and review treatment and health outcomes of ACO patients who experienced hospital-acquired infections and surgical errors.

Image #1Where the ACO is not operated as an OHCA, but the quality committee is evaluating care quality on behalf of the individual providers in the ACO, the providers participating in the ACO may permit the ACO quality committee to access the necessary PHI for the quality assessment, but only for patients whom the requesting and disclosing providers have in common, pursuant to 164.506(c)(4), instead for all the patients in the ACO.

In both instances, (OHCA and non-OHCA), access to, or disclosure of, electronic PHI can be made using Certified EHR Technology, so long as the HIPAA Security Rule is complied with.

Example 5: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(1) and (c)(4)

As part of a quality review, a health care provider may need to know the health outcome of a patient that the provider treated but no longer has contact with (e.g., patient was transferred to another provider). The provider may query a Health Information Exchange (HIE) for the relevant health outcomes of the individual, or the provider could directly ask the subsequent provider for information.

Image #2Example 6: Population-Based Activities – 45 CFR 164.506(c)(1) and (c)(4)

A provider that has treated the patient and is responding to this query may use Certified EHR Technology to send the relevant information directly to the requesting health care provider, or may disclose to the requesting provider using the HIE. Disclosure of electronic PHI by Certified EHR Technology or other electronic means requires HIPAA Security Rule compliance. This scenario also works for health plans with a relationship with the patient; it is not limited to providers.

Unaffiliated hospitals in the same community often see the same patients and may not be able to tell whether a patient’s hospital-acquired infection resulted from care received at the current treating hospital or from a prior visit to a separate hospital in the community.

The hospitals that have treated or are treating the patient may use Certified EHR Technology to share relevant PHI to try to determine the source and/or cause of the infection in order to prevent further infections.

Disclosure of electronic PHI by Certified EHR Technology or other means requires HIPAA Security Rule compliance.Image #3

Getting to Know HIPAA

We hope our blog series and our new fact sheets on HIPAA Permitted Uses and Disclosures for exchange (Treatment and Health Care Operations), have shed some light on how HIPAA supports the goal of nationwide, interoperable exchange of health information for patient care and health. For questions about privacy, security and interoperability, contact For questions about HIPAA privacy and security, contact OCR at

This blog and the links to it contains are provided for informational purposes only. The information contained in this blog is not intended to serve as legal advice nor should it substitute for legal counsel. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

Real HIPAA Blog Series

This post was originally published on the Health IT Buzz and is syndicated here with permission.