P2

SNO Policy 400: Uses and Disclosures of Health Information

Purpose and Principles: Through a variety of mechanisms, this model policy reflects the privacy principles of purpose specification and minimization, security safeguards and controls, use limitation, collection limitation, accountability and oversight, and data integrity and quality. The recommended policy integrates HIPAA’s general premise that health information may be used only for permissible purposes and its more specific requirement that entities may disclose only the amount of information reasonably necessary to achieve a particular purpose.¹⁰ In general, requests for disclosure of and/or use of health information for treatment, payment, and the health care operations of a covered entity, as each is defined by HIPAA, will be permitted.¹¹ Furthermore, subject to certain limitations and under certain circumstances, requesting disclosure of and using health information for law enforcement,¹² disaster relief,¹³ research,¹⁴ and public health¹⁵ purposes also may be permissible. Accessing health information through either the RLS or the SNO for marketing or marketing-related purposes is prohibited without specific patient authorization.¹⁶ Under no circumstances may health information be accessed or used for discriminatory purposes. For example, a health plan would not be permitted to use the RLS to determine if a member has visited a health care provider for whom the health plan has not been billed. Such activity would be an impermissible and discriminatory purpose and is prohibited by applicable law and under this Policy. SNOs may provide guidance to Participants detailing the permissibility or impermissibility of requesting or using health information for certain specified purposes under applicable law.

Requiring consideration of the purpose of a use and minimization of the use of information reduces the likelihood of inadvertent or intentional misuses of information. The model policy helps enhance the fair and legal collection and use of data, the oversight of data use and accountability for privacy violations by ensuring that Participants have legally required documentation prior to the use or disclosure of information.¹⁷ In addition, the integration of HIPAA’s accounting of disclosures and individual access to information requirements allows individuals to understand how health information about them is shared and to exercise certain rights regarding information about them with greater precision and ease.¹⁸

The recommended provision also requires security measures essential to identify and remedy loss, unauthorized access, destruction, use, modification, or disclosure of personal health information. The audit requirement reflects the HIPAA Security Rule’s general requirement that entities implement policies to prevent security violations, assess security risks, and examine data storage and access technology¹⁹ but, in a manner more protective than HIPAA, would establish monitoring requirements as to when information is accessed and by whom. To prevent unauthorized access of information and maintain data integrity and quality the authentication provision of the model policy requires that both the identity and authority of an entity requesting health information be verified and authenticated, integrating requirements from the HIPAA Privacy Rule and Security Rule.²⁰

The combination of this recommended policy’s use and security provisions helps guarantee that health information is used and accessed only as authorized and that Participants have proper measures in place to identify and address privacy violations. Consequently, individuals can remain confident that information about them is being used with care and in the manner promised by Participants.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide, make available, or request health information through the SNO.

Policy:

1. Compliance with Law. All disclosures of health information through the SNO and the use of information obtained from the SNO shall be consistent with all applicable federal, state, and local laws and regulations and shall not be used for any unlawful discriminatory purpose. If applicable law requires that certain documentation exist or that other conditions be met prior to using or disclosing health information for a particular purpose, the requesting institution shall ensure that it has obtained the required documentation or met the requisite conditions and shall provide evidence of such at the request of the disclosing institution.²¹
2. Purposes. A Participant may request health information through the RLS or SNO only for purposes permitted by applicable law. Each Participant shall provide or request health information through the RLS or SNO only to the extent necessary and only for those purposes that are permitted by applicable federal, state, and local laws and regulations and these Policies.²² Information may not be requested for marketing or marketing related purposes without specific patient authorization. Under no circumstances may information be requested for a discriminatory purpose. In the absence of a permissible purpose, a Participant may not request information through the RLS or from the SNO.
3. SNO Policies. Uses and disclosures of and requests for health information via the SNO shall comply with all SNO Policies, including, but not limited to, the SNO Policy on Minimum Necessary and the SNO Policy on Information Subject to Special Protection.²³
4. Participant Policies. Each Participant shall refer to and comply with its own internal policies and procedures regarding disclosures of health information and the conditions that shall be met and documentation that shall be obtained, if any, prior to making such disclosures.
5. Accounting of Disclosures. Each Participant disclosing health information through the SNO shall work towards implementing a system to document the purposes for which such disclosures are made, as provided by the requesting institution, and any other information that may be necessary for compliance with the HIPAA Privacy Rule’s accounting of disclosures requirement.²⁴ Each Participant is responsible for ensuring its compliance with such requirement and may choose to provide individuals with more information in the accounting than is required. Each requesting institution shall provide information required for the disclosing institution to meet its obligations under the HIPAA Privacy Rule’s accounting of disclosures requirement. 
6. Audit Logs. Participants and SNOs shall consider and work towards maintaining an audit log documenting which Participants posted and accessed the information about an individual through the RLS and when such information was posted and accessed.²⁵ Participants and SNOs shall consider and work towards implementing a system wherein, upon request, patients have a means of seeing who has posted and who has accessed information about them through the RLS and when such information was accessed.²⁶
7. Authentication. Each Participant shall follow uniform minimum authentication requirements for verifying and authenticating those within their institutions who shall have access to, as well as other Participants who request access to, information through the SNO and/or the RLS.^{27, 28}
8. Access. Each SNO should have a formal process through which information in the RLS can be requested by a patient or on a patient’s behalf.²⁹ Participants and SNOs shall consider and work towards providing patients direct access to the information contained in the RLS that is about them.³⁰