Patient Health Information Practices | Cortex

Patient Health Information Practices

Last Modified: 01/31/2022


Some products and services you may access on or may provide information that is considered protected health information ("PH"). By using products and services that disclose PHI, you agree that you have the legal right to access this information and that you will make all necessary safegaurds to protect the unlawful disclosure of this same PHI. This includes (but is not limited to) ensuring PHI on your screen or monitor is not visible to those without the right to see PHI, that you will use strong passwords, and that you will abide by all relevant laws, including HIPAA.

Under HIPAA, protected health information ("PHI") of a patient can be used or disclosed, without the patient’s authorization, for the purposes of payment, treatment or health care operations (commonly referred to as the "PTO" exception). 45 C.F.R. 164.501. As further outlined herein, ‘treatment’ and ‘health care operations’ are the relevant exceptions that allow the sharing of such information in the Cortex platform.


Under HIPAA’s Privacy Rule, "‘Treatment’ means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another."

Thus, covered entities (e.g. hospitals, physicians, pharmacists, SNFs) involved in the treatment or care of a patient can exchange patient PHI if it is reasonably related to coordinating, managing or providing patient care. For example, a pharmacist speaks with providers multiple times each day, discussing PHI in relation to filling of prescriptions and providing appropriate care to patients; a hospital provides PHI to a SNF as part of coordinating the patient’s transfer to the SNF; a physician discusses a patient’s medical case with a colleague, to get guidance and insight. In such cases, those involved can exchange PHI, without the patient’s authorization, as long as the purpose of the PHI exchange is to facilitate the patient’s care.


Under HIPAA’s Privacy Rule, a covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is for certain purposes, including (1) conducting quality assessment and improvement activities (e.g. patient safety activities (such as those intended to improve the quality of health care delivery)), outcome evaluations, case management, care coordination, and related functions) or (2) evaluating provider performance. 45 CFR § 164.501, 164.506(c)(4).

Thus, without a patient’s authorization, under the Health Care Operations exception, HIPAA allows covered entities to disclose PHI to other covered entities that have treated the patient or are currently treating the patient, if the purpose is to improve operations and the quality of care provided to patients.


Under HIPAA, Cortex acts as a business associate of each of our customers (each, a covered entity under HIPAA). As a business associate (and under the terms and conditions of our respective business associate agreement ("BAA") with each customer), we receive our customer’s PHI and share it on their behalf on the Cortex platform. However, the Cortex platform (and the respective BAA) only allows for sharing of this PHI between providers that are presently involved or have been involved in a patient’s care over the prior 12 months; and further limits such access to those providers still reasonably tied to the patient’s care ("Involved Providers"). For example, if a patient has used more than one home health provider in the last 12 months, only the most recent home health provider can view the patient’s data. The assumption is that the patient has elected not to utilize the former home health service, and thus, that home health service is no longer involved in the coordination or care of the patient.

For these Involved Providers, Cortex’s platform allows the sharing of PHI to better coordinate/manage patient treatment and improve health care operations. This is squarely allowed under the PTO exception of HIPAA’s Privacy Rule. 45 C.F.R. 164.501. Additionally, any information that is obtained from local Health Information Exchanges, is shared in conformity with the terms and purposes thereof.

Additionally, Cortex’s customer contracts (including BAAs), terms of service, business practices, and internal policies are in alignment with the structures, purposes, and objectives outlined herein. Cortex has also had a HIPAA audit conducted by a third-party vendor and instituted all identified privacy and security measures to ensure compliance. Such measures also include written policies and procedures and required employee training on HIPAA.

We hope this information satisfies any questions or concerns you may have had regarding Cortex’s business model and HIPAA compliance. However, if you have further questions, please contact