Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)?

Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could be developed, either on an organization level or HIO level, for HIV/AIDS, mental health, genetic, and/or substance abuse information. In addition, there may be other Federal and State laws that will affect a covered entity’s exchange of this sensitive information to or through a HIO, and covered entities should consider these other laws when developing individual choice policies. For example, such laws may prescribe the form of consent that is required or create other requirements for the disclosure of information based on the type of information or the intended recipient.

Created 12/15/08