P2

Notes

1. See Markle Connecting for Health, “A Model Contract for Health Information Exchange.”
2. A sub-network organization (SNO) is to operate as a health information data exchange organization (whether regionally or affinity-based) that operates as a part of the National Health Information Network (NHIN), a nationwide environment for the electronic exchange of health information made up of a “network of networks.”
3. 45 C.F.R. § 160.203.
4. 45 C.F.R. § 164.520.
5. HIPAA requires the Notice of Privacy Practices to include a description, with “at least one example, of the types of uses and disclosures that the covered entity is permitted … to make for … treatment, payment and health care operations” and a description of those other purposes for which the entity “is permitted or required … to use or disclose protected health information without” individual authorization. 45 C.F.R. § 164.520(b)(1)(ii)(A). Unlike this recommended model policy, HIPAA does not require the Privacy Notice to set forth what specific information may be disclosed and who may access the information.
6. 45 C.F.R. § 164.520(b).
7. See 45 C.F.R. § 164.520(c)(2), (3).
8. See 45 C.F.R. § 164.520(c)(1), (3).
9. See 45 C.F.R. § 164.520(c)(2)(ii).
10. 45 C.F.R. § 164.502(b).
11. 45 C.F.R. §§ 164.502(1)(ii), 506. Under HIPAA, treatment is defined as “the provision, coordination, or management of health care and related services by one or more health care providers … ” 45 C.F.R. § 164.501. Payment refers to “activities undertaken by: (i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care.” Such activities include eligibility and coverage determinations; risk adjustments; billing, claims management and collection activities; medical necessity review; and utilization review. Id. Health care operations includes activities related to covered functions for (i) conducting quality assessment and improvement; (ii) evaluating competence, qualifications and performance of health care professionals, evaluating health plan performance, training and credentialing activities; (iii) underwriting, “premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits”; (iv) “conducting or arranging for medical review, legal services, and auditing functions;” (v) business planning and development; and (vi) business management and administrative activities. Id.
12. 45 C.F.R. § 164.512(f).
13. 45 C.F.R. § 164.510(b)(4).
14. 45 C.F.R. § 164.512(i).
15. 45 C.F.R. § 164.512(b).
16. 45 C.F.R. 164.508(a)(3) & (b).
17. See 45 C.F.R. § 164.530(j).
18. See 45 C.F.R. §§ 164.528; 164.524.
19. 45 C.F.R. §§ 164.316, 164.308(a)(1)(i).
20. 45 C.F.R. §§ 164.514(h), 164.312(d).
21. See 45 C.F.R. § 164.530(j).
22. 45 C.F.R. § 164.502(a), (b).
23. 45 C.F.R. § 164.502(b).
24. 45 C.F.R. § 164.528. For HIPAA Covered Entities, this is currently required by law.
25. See 45 C.F.R. §§ 164.316, 164.308(a)(1)(i).
26. See Markle Connecting for Health, “Auditing Access to and Use of a Health Information Exchange.”
27. See 45 C.F.R. §§ 164.514(h), 164.312(d).
28. See Markle Connecting for Health, “Authentication of System Users.”
29. See 45 C.F.R. § 164.524.
30. See Markle Connecting for Health, “Patients’ Access to Their Own Health Information.”
31. 45 C.F.R. § 164.203.
32. 45 C.F.R. § 164.502(b).
33. 45 C.F.R. § 164.530.
34. See 45 C.F.R. § 164.530(b).
35. 45 C.F.R. § 164.530(e).
36. See 45 C.F.R. § 164.530(a), (d).
37. 45 C.F.R. § 164.526.
38. 45 C.F.R. § 164.526.
39. 45 C.F.R. § 164.522.
40. Under the HIPAA Privacy Rule, individuals have the right to request restrictions on the use and/or disclosure of health information about them. 45 C.F.R. § 164.522. For example, an individual could request that information not be used or disclosed for a particular purpose or that certain information not be disclosed to a particular individual. Covered entities are not required to agree to such requests under HIPAA.
41. 45 C.F.R. § 164.530(f).

Markle Connecting for Health thanks Marcy Wilder of Hogan & Hartson LLP for drafting this paper.