Yes, so long as the disclosure of PHI is authorized by the HIO’s business associate agreement and the information exchange would be permitted by the HIPAA Privacy Rule. For example, a HIO may disclose, on behalf of a primary care physician, PHI about an individual for treatment purposes in response to a query from another HIO, acting on behalf of a hospital at which the individual is a patient, unless, for instance, the primary care physician has agreed to the patient’s request to restrict such disclosures. Similarly, a HIO that is a business associate of two different covered entities may share PHI it receives from one covered entity with the other covered entity as permitted by the Privacy Rule and its business associate agreement, for example, for treatment purposes, subject to any applicable restrictions.
October 2018
Tags: HIPPA, Health Information Technology
Log in or Register to save this content for later.