May a covered health care provider disclose electronic protected health information (PHI) through a health information organization (HIO) to another health care provider for treatment?
Yes. The Privacy Rule permits a covered entity to disclose PHI to another health care provider for treatment purposes. See 45 C.F.R. § 164.506. Further, a covered entity may use a HIO to facilitate the exchange of such information for treatment purposes, provided it has a business associate agreement with the HIO that requires the HIO to protect the information. See 45 C.F.R. §§ 164.502(e), 164.504(e).