May a health information organization (HIO) manage a master patient index on behalf of multiple HIPAA covered entities?

Yes. A HIO may receive protected health information from multiple covered entities, and manage, as a business associate on their behalf, a master patient index for purposes of identifying and linking all information about a particular individual. Disclosures to, and use of, a HIO for such purposes is permitted as part of the participating covered entities’ health care operations under the HIPAA Privacy Rule, to the extent the purpose of the master patient index is to facilitate the exchange of health information by those covered entities for purposes otherwise permitted by the Privacy Rule, such as treatment.


Created 12/15/08

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013