Communication of Possible Healthcare-associated Infections across Healthcare Settings
In June 2013, the Council of State and Territorial Epidemiologists (CSTE) passed position statement 13-ID-09, “Communication of Possible Healthcare-Associated Infections across Healthcare Settings”. The position statement recognized that inter-facility communication of possible healthcare-associated infections was important to the recognition and prevention of these infections. An Appendix to the Position Statement was developed by CDC scientists and lawyers in collaboration with HHS Office of Civil Rights (OCR) program and legal staff, who oversee administration of the Health Insurance Portability and Accountability Act (HIPAA). The Appendix, which is re-printed below, provides questions and answers clarifying the permissibility of Facility/Provider to Facility/Provider communications under HIPAA.
Facility/Provider to Facility/Provider Communications Under HIPAA: Questions and Answers
Note: The following document was developed by CDC scientists and lawyers in collaboration with HHS Office of Civil Rights (OCR) program and legal staff, who oversee administration of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This information may not be modified without express permission of OCR.
Health care providers [i.e., individual clinicians and facilities (including hospitals and other health care facilities such as nursing homes and rehabilitation facilities)] are increasingly active in addressing concerns about patient safety and minimizing patients’ risks of adverse healthcare events. In an era when the public, policymakers, and many health care providers seek greater transparency and accountability in healthcare, these efforts include but are not limited to new or renewed emphasis on information sharing among providers themselves about adverse events that are a consequence of care processes, care process omission, or some other risk exposure during a health care episode, such as exposure to an infectious agent.
Health care providers have raised questions as to whether the HIPAA Privacy Rule permits information sharing between individual providers and/or facilities for patient safety-related purposes. This guidance assumes that the provider seeking to share such patient information is a HIPAA covered entity. While any health care provider may be faced with these questions, they tend to arise more frequently at the facility level. The term “patient” is also used here to encompass persons residing in nursing homes or other facilities, where they are often referred to as “residents.” “source facility” or “source provider” refers to the health care facility or individual provider that first cared for the patient. Protected health information (PHI) is individually identifiable health information, such as information that identifies (or can be used to identify) a patient.
Does HIPAA permit a health care facility to share PHI with the source facility where a patient was previously treated or where a patient previously resided, without the patient’s authorization, for purposes of providing notification of an infection with potential infection control implications at the source facility?
In these scenarios a resident of a nursing home is admitted into a hospital, certain medical conditions are diagnosed, and the hospital wants to disclose this health information back to the nursing home.
- A practitioner at the hospital diagnoses a patient’s tuberculosis and wants to inform the nursing home so that the staff there can quarantine the coughing roommate of the index case.
- The patient is admitted with sepsis and later dies in the hospital. Blood cultures drawn at admission grow group A streptococcus. The hospital seeks to disclose that this patient was diagnosed with invasive group A streptococcal infection (which causes serious outbreaks in nursing homes) to the nursing home for infection control purposes, even though the patient will not be returning.
- The hospital diagnoses the patient with influenza early in the flu season, and wants to disclose this diagnosis to the nursing home for infection control purposes.
In each scenario the hospital will want to disclose the name of the patient so the nursing home can verify that this patient had been a resident in their home and the date and location of service.
The HIPAA Privacy Rule permits a covered health care provider to use or disclose PHI for treatment purposes without the authorization of the patient. (Generally, disclosures of psychotherapy notes require written patient authorization, but these notes do not appear relevant here.) 45 CFR 164.506(c) and 164.508(a)(2). “Treatment” is defined to include the provision, coordination, or management of “health care” and related services. 45 CFR 164.501. “Health care” is defined to include preventive care. 45 CFR 160.103. Treatment refers to activities undertaken on behalf of individual patients. While in most cases, the information regarding an individual is needed for the treatment of that individual, the HIPAA Privacy Rule also allows the information regarding one individual (e.g., a patient) to be used or disclosed for the treatment or preventive care (e.g., vaccinations or quarantine) of other persons (e.g., patients at risk).
In these scenarios, the patient (and former nursing home resident) has or had a medical condition while at the nursing home that may directly impact the health of certain or all residents at that facility. In some cases, the nursing home did not know of this condition, or the condition had not manifested itself at the time the patient was at the nursing home. The hospital may disclose PHI of the patient (and former nursing home resident) to the nursing home for treatment purposes involving other residents.
A distinction is made between use and disclosure of PHI for treatment purposes with regard to the “minimum necessary” requirement. The “minimum necessary” requirement does not apply to disclosures of PHI for treatment purposes, and the disclosures discussed above are treatment disclosures that are permitted under the HIPAA Privacy Rule.
After PHI is disclosed to the nursing home, the information may be used for the provision of treatment to the nursing home residents. For example, preventive measures, such as cohorting, isolation, or prophylaxis of specific patients who may be at risk at the nursing home, are considered treatment under the Privacy Rule. The uses of PHI by the nursing home for treatment purposes in the above scenarios are subject to the Privacy Rule’s “minimum necessary” requirement, and the nursing home’s minimum necessary policies. A nursing home, as a covered entity, must identify those persons or classes of persons in its workforce who need access to PHI, and for each such person or classes of person, the category or categories of PHI to which access is needed, and any conditions appropriate to such access. 45 CFR 164.514(d)(2). Visit the HHS website for more information on the “minimum necessary” requirement.
Under HIPAA, is a health care facility permitted to share PHI with another health care facility that previously treated or housed a patient, without that patient’s authorization, for purposes of notifying this source facility of a potential complication of care related to the health care provided at the source facility so as to monitor and improve care and prevent future complications?
- A hospital identifies a surgical site infection (SSI) that is probably attributable to an ambulatory surgical care facility and/or surgeon that performed the surgery within the past 12 months. The hospital seeks to notify the ambulatory surgical care facility about the SSI, or in a given situation, notify the surgeon directly.
- A patient is admitted to Hospital B with a surgical site infection (SSI) after an operation at another hospital (Hospital A), where the patient had been operated on and then discharged without signs or symptoms of infection. Because of federal requirements (e.g., the Centers for Medicare and Medicaid Services’ Inpatient Quality Reporting program requirements) or state law or policy, both hospitals are committed to reporting all SSIs following the type of operation performed on the patient. Hospital B seeks to report the SSI to Hospital A, where the SSI is presumed to have originated, so that Hospital A can fully account for SSIs attributable to its care.
The HIPAA Privacy Rule permits a covered entity to use or disclose PHI for certain “health care operations” purposes without the authorization of the patient. 45 CFR 164.506(c). This includes a covered entity disclosing PHI to another covered entity for certain purposes if each entity either has or had a relationship with the individual who is the subject of the information, and the PHI being disclosed pertains to the relationship. 45 CFR 164.506(c)(4). Of relevance here, disclosures are permitted for the purpose of the covered entity receiving the information “conducting quality assessment and improvement activities; . . . population-based activities relating to improving health [and] protocol development.” 45 CFR 164.501 (definition of “health care operations”). Only the minimum amount of PHI necessary for the particular health care operations purpose may be disclosed.
The disclosures discussed above are health care operations disclosures that are permitted under the HIPAA Privacy Rule. In these scenarios we assume that the hospitals sharing the PHI, the ambulatory surgical care facility, and the surgeon are all HIPAA covered entities. The hospitals disclosing the PHI would be sharing information regarding a patient who the surgical facilities (either the ambulatory care facility or the hospital) and/or surgeon had treated, and the communication is in regard to the treatment that had been provided. The disclosures are so that the surgical facilities and/or surgeon can monitor and improve the quality of care provided. This falls under “conducting quality assessment and improvement activities,” and perhaps “population-based activities relating to improving health,” and/or “protocol development.” In these scenarios, information regarding the patient with an SSI can be shared with the surgical facilities and/or surgeon. While only the minimum amount of information regarding the patient may be disclosed, in these scenarios the identity of the patient may be shared because it is needed to investigate the cause of the infections (e.g., the dates and locations of care, and the staff involved.) There is likely to be no need to share health information regarding these patients that is unrelated to investigating the SSI.
Visit the HHS website for additional information regarding disclosures for treatment and healthcare operations purposes.
Get email updates
To receive email updates about this page, enter your email address:
Centers for Disease Control and Prevention
National Healthcare Safety Network
1600 Clifton Rd
Atlanta, GA 30333
- Contact NHSN@cdc.gov