This Help Center Article is written by Elation Health for informational purposes only as a service to our customers. The following article is intended as a summary of relevant regulatory guidance for health care providers to use at their discretion and should not be relied upon to ensure compliance. All users of Elation must follow all applicable laws and rules and are responsible for their own compliance with relevant health care and privacy regulations as reflected in the Terms of Use of the product.
Overview
Consent and Notices of Privacy Practices Under HIPAA
Under the Health Insurance Portability and Accountability Act (HIPAA), providers must present patients with a Notice of Privacy Practices (NPP), which explains how their health information will be used and disclosed, including disclosure to third party providers such as Elation. While HIPAA does not always require explicit consent for routine treatment, payment, and healthcare operations, providers must obtain acknowledgment that the patient has received the NPP. This ensures that patients are aware of their rights regarding their protected health information (PHI) and how it may be shared. Providers should ensure that patients understand their rights under HIPAA, including their ability to request restrictions on certain disclosures of their health information. If a patient refuses to sign the acknowledgment of receipt, providers must document the attempt to obtain acknowledgment. In situations involving sensitive information, such as psychotherapy notes, HIPAA requires specific patient authorization before disclosure.Specially Protected Data
Substance Use Disorder Data Substance use disorder (SUD) data is a specially protected category of protected health information (PHI) that requires heightened privacy protections under HIPAA and 42 CFR Part 2. This regulation mandates that healthcare providers obtain specific patient consent before disclosing SUD-related information, even for treatment, payment, or healthcare operations. Unlike general PHI, SUD records cannot be shared without explicit patient authorization, except in limited circumstances such as medical emergencies, court orders, or specific public health situations. Given the stigma associated with substance use disorders, providers must implement strict safeguards to protect patient confidentiality. Patients should be clearly informed about their rights regarding SUD data, including the ability to revoke consent for data sharing at any time. Using encryption, access controls, and secure communication channels can help prevent unauthorized disclosures and maintain patient trust while ensuring compliance with legal requirements. Reproductive Health Data and New HIPAA Exceptions Reproductive health data, including information related to pregnancy, contraception, fertility treatments, and abortion services, is subject to heightened privacy concerns. Under new HIPAA exceptions, healthcare providers are restricted from disclosing reproductive health information in response to legal requests or investigations unless explicitly required by law. These exceptions aim to enhance patient privacy and protect individuals seeking reproductive healthcare. Providers must ensure patients are aware of these protections and clearly communicate how their reproductive health data will be handled. Secure documentation practices, access controls, and encrypted storage should be utilized to safeguard this sensitive information. Explicit patient authorization should be obtained before sharing reproductive health data with third parties, except in legally mandated situations. HIV Data and Mental Health Information HIV-related data is another highly sensitive category of PHI, requiring special handling to prevent discrimination and ensure patient confidentiality. Many states have specific laws governing the disclosure of HIV status, often requiring explicit written consent before sharing such information. Healthcare providers must stay informed about both federal and state regulations to ensure compliance and protect patient rights. Mental health data, including psychotherapy notes, also requires special consideration under HIPAA. Unlike general medical records, psychotherapy notes are given additional protections and cannot be disclosed without patient consent, except under specific circumstances such as threats of harm to self or others. Providers should implement strict privacy measures, such as role-based access controls and secure record-keeping systems, to maintain the confidentiality of mental health information while ensuring necessary care coordination. Information Blocking Providers are required to exchange electronic health information (EHI) under the 21st Century Cures Act’s Information Blocking Rule. This rule prohibits practices from unreasonably interfering with the access, exchange, or use of EHI. Providers must ensure that they are not engaging in practices that delay or restrict access to patient data unless a permissible exception applies, such as protecting patient privacy or information security. Ensuring timely and secure data exchange supports continuity of care and empowers patients with greater access to their health information. Providers must implement policies and technologies that facilitate the secure sharing of health data while complying with HIPAA and other applicable laws. By avoiding information blocking, healthcare organizations can improve care coordination, enhance patient outcomes, and meet regulatory compliance requirements. State Specific Regulations In addition to federal regulations, healthcare providers must comply with state-level privacy and consent laws, which may impose stricter requirements than HIPAA. Many states have enacted specific laws governing patient consent, data sharing, and privacy protections for sensitive health information such as HIV status, mental health treatment, reproductive health, and genetic data. Providers should be aware of their state’s unique legal framework to ensure compliance. Health Information Exchanges State Health Information Exchanges (HIEs) play a critical role in facilitating the secure exchange of patient data between healthcare organizations. These networks enable providers to access comprehensive patient records, improving care coordination and patient outcomes. Participation in an HIE often requires compliance with state-specific consent laws, which may mandate opt-in or opt-out mechanisms for patients to control how their data is shared. Carequality, a national interoperability framework, allows HIEs and healthcare organizations to exchange data seamlessly across different networks. While HIPAA permits data sharing for treatment, payment, and operations without explicit consent, state laws may impose additional requirements. Providers must understand their state’s HIE participation rules and ensure that patients are informed of their rights to consent, revoke access, or opt out of data sharing. Aligning HIE policies with Carequality standards ensures compliance while promoting secure and efficient data exchange for better patient care.Data Participants
Patient Under HIPAA, patients have a right to request amendments to their PHI, request withholding of data, and request copies of all their PHI. Requests for data are routed through providers and providers are required to have policies and procedures to receive and respond to such requests as well as to fulfill all PHI requests from patients. Provider The provider is responsible for ensuring all PHI that they have signed off on is accurate and to preserve the integrity of such PHI. Providers are responsible for following all applicable laws and regulations including aligning their internal policies and procedures to ensure patient data is shared or restricted according to relevant regional laws. Elation Health Elation Health is the Certified Electronic Health Record Technology (CEHRT) that a provider uses and the provider or practice is responsible for meeting all regulatory obligations. Elation offers multiple product features to enable providers and practices to share or restrict data and collect patient consent in accordance with both patient privacy and information sharing requirements. Elation Health follows all laws and regulations as required for EHR technology and security of PHI.Elation Health Patient Consent and Privacy Tools
Privacy & Security Resources
- /articles/Features-for-Privacy-Requirements
- /articles/Best-practices-for-keeping-your-Elation-account-secure
Elation Health Product Features
| Elation Health Product Feature | Consent Details | Data Type Sent/Received |
|---|---|---|
| Carequality | Opt-in Providers must select consent at the beginning of the patient interaction. If the patient does not consent, do not allow data sharing with Carequality. If patients do not consent initially, do not allow patient data sharing. If a patient revokes consent, click the I need help -> Contact Elation Support button from the patient’s chart and ask our Support Team to remove the patient’s consent response from their chart for you. | Sent: CCDA Received: Multiple data types |
| HIE (CCD via SFTP) | HIE integrations are manually set up and if your practice has an HIE integration you should align your Notices of Privacy Practices to reflect how you are sharing data. Consent is for treatment purposes only. | Sent: CCDA |
| Direct Messaging | Whatever data is sent should correspond to the type of data shared and with whom. For example, a referral sent to an outside specialist with a CCD should be included in the original Notices of Privacy Practices (to share all data for treatment purposes and referrals etc) or as requested depending on practice policies and procedures. These may be a case by case basis for consent depending on the data type and referral based on your own privacy practices. | Sent: Multiple data types (CCDA, Attachments) Received: Multiple data types (CCDA, Attachments) |
| Summary of Care via fax | Whatever data is sent should correspond to the type of data shared and with whom. For example, a referral sent to an outside specialist with a CCD should be included in the original Notices of Privacy Practices (to share all data for treatment purposes and referrals etc) or as requested depending on practice policies and procedures. These may be a case by case basis for consent depending on the data type and referral based on your own privacy practices. | Sent: CCDA Received: CCDA |
| Medication History download via Surescripts | Clicking “download fills” is an implicit patient consent. Patients may additionally opt out of Surescripts medication history download at any time through the Surescripts network by visiting https://surescripts.com/opt-out-faq. | Received/Sent Medication data |
| Text messages | This is captured in the demographics setting of patient charts. This can also be changed by patients directly during text messages or from the patient passport as noted in the Help Center Article describing text message opting in. | Unidirectional (output) |
| Patient Longitudinal Record | Practices and providers are responsible for ensuring their Notices of Privacy Practices reflect all product functionality and providers and practices that are involved in Patient Longitudinal Records. | Bidirectional access to charts |
| Lab Integrations | These are sent for treatment purposes and should be reflected in your Notices of Privacy Practices. | Sent/Received: Multiple data types sent/received (labs, imaging, transcriptions) |
| FHIR integrations | These are sent for treatment purposes and should be reflected in your Notices of Privacy Practices. | Read Only Can only send information. Can not receive information into the system. |
| API v2 integrations (includes API v2 HIE integrations and Zus) | These are sent for treatment purposes and should be reflected in your Notices of Privacy Practices. | Read and write functionality/bidirectional information exchange. |
The Patient Forms feature supports collecting patient consent; however, it remains the provider’s responsibility to obtain and update consent in all required and relevant situations.