3 min read

What are organized health care arrangements

Picture of Kirsten Peremore Kirsten Peremore July 02, 2025

Definitions
What are organized health care arrangements

According to ‘Organizing and Managing Care in a Changing Health System’ by Linda T. Kohn, a paper looking at how to examine the ways medical organizations are shifting their approach to care, “Organizational arrangements create a structure that enables the partners to come together, care management represents the creation of systems that help the partners work together and function as a unit by sharing information and allocating resources.”

Organized Healthcare Arrangements (OHCAs) are defined under HIPAA regulations as clinically integrated care settings or organized systems of healthcare. Multiple covered entities participate jointly to provide coordinated care and manage health operations. These arrangements involve legally separate entities that collaborate closely to deliver health care services to individuals who typically receive care from more than one provider within the arrangement.

OHCAs may also include organized systems where entities participate in joint activities such as utilization review or quality improvement. These arrangements are formalized through agreements that specify how protected health information (PHI) will be shared and how joint activities will be conducted. The arrangement allows these entities to function as a cohesive unit in the eyes of patients and regulators.

 

How are OHCAs formed?

OHCAs are formed through a collaborative process involving multiple healthcare entities such as hospitals, clinics, and other providers. A Health Law Review study, ‘Beyond the Basics,’ which looked at the implementation of the Privacy Rule in the real world, stated, “Providers in an organized health care arrangement may share information to support the health care operations of the enterprise.” These entities come together with a shared goal of enhancing the coordination and quality of patient care. The formation process typically involves:

  • Identifying common objectives, such as improving healthcare delivery, streamlining information sharing, or jointly managing certain administrative or clinical functions. 
  • Participating entities work together to develop a framework that outlines how they will collaborate, share information, and manage shared activities. 
  • Drafting formal agreements that define the roles, responsibilities, and expectations of each participant, particularly about handling and protecting patient information in compliance with HIPAA regulations. 
  • Establishing protocols for secure data sharing and integrating their systems and processes to facilitate effective collaboration.

See also: HIPAA Compliant Email: The Definitive Guide

 

Why OHCA is used

 

Benefits of forming or participating in an OHCA

OHCA has the ability to deliver coordinated, patient-centered care through efficient and compliant sharing of PHI among multiple healthcare providers. For patients, OHCAs facilitate a more coordinated and integrated approach to care, leading to improved quality of treatment and health outcomes, especially for those with complex or chronic conditions. The sharing of medical records and information among providers ensures efficient care delivery and reduces redundant testing. 

A paper, ‘Are Confidentiality Laws a Barrier to Forming Safety Net Collaborations to Provide Medical Care to the Uninsured?’ submitted to the University of North Carolina at Chapel Hill notes that, “In safety net collaborations, hospitals may allow community physicians the use of their facilities at no charge when they are treating patients within the collaboration. As in the previous example, the hospital and the community safety net physician could form an OHCA that would permit them to use a single consent form and share PHI in accordance with the Privacy Rule.”

On the provider side, being part of an OHCA offers a collaborative environment that promotes shared learning and resource utilization. The collaboration leads to cost savings and improves care capabilities through shared expertise and equipment. The collective data pooling enables enhanced analytics, aiding in quality improvement and research. 

See also: What are the different arrangements under HIPAA?

 

Confusion between OHCAs and other HIPAA relationships

One common confusion is between OHCAs and Affiliated Covered Entities (ACEs). ACEs are groups of covered entities under common ownership or control that elect to be treated as a single covered entity for HIPAA purposes. 

A study from A Journal of Law and Policy notes on the topic of ACEs that, “Under the final rule, greater protection from liability is afforded to affiliated covered entities. Arguably, the protection is illusive because an affiliated covered entity is protected only when it can identify the member responsible for the violation.”

OHCAs, in contrast, do not require common ownership or control; they are based on clinical or operational integration among independent entities. The distinction affects how PHI can be shared and the scope of joint activities permissible under HIPAA.

Another source of confusion is the difference between OHCAs and business associate relationships. Business associates are non-covered entities that perform services on behalf of covered entities and require access to PHI under a business associate agreement. OHCAs consist of covered entities themselves collaborating for joint care and operations, not third-party service providers.

Because both OHCAs and ACEs can issue joint notices of privacy practices and share PHI among participants, misunderstanding their differences can lead to compliance errors.

 

The issue of consent and authorization in shared arrangements

Mental health providers in Oklahoma voiced alarm that, without clear opt-in consent, deeply personal client records, like psychotherapy notes or addiction treatment, could be automatically shared across the HIE unless explicitly excluded. Meanwhile, reporters and regulators are scrutinizing app-based OHCAs and care coordination platforms: even when these systems fall under HIPAA, conflicting state laws (e.g., California’s CMIA, Washington’s “My Health My Data” Act) require informed consent for sensitive health data, complicating federally permitted but sometimes overly broad data-sharing through OHCAs. The patchwork leads to confusion, patients may unknowingly approve consent via joint notices without fully grasping which entities can access their data or the circumstances triggering data use.

See also: Business associate agreement provisions

 

FAQs

How is an OHCA different from a healthcare system or network?

An OHCA is a HIPAA-defined legal designation focused on privacy and PHI sharing. A healthcare system or network may involve business operations, but not all meet the criteria of an OHCA under HIPAA.

 

Do patients need to be notified of an OHCA?

Yes. The Notice of Privacy Practices (NPP) must inform patients that their information may be shared within the OHCA for operational and care coordination purposes.

 

Can an OHCA share PHI for marketing or fundraising?

Only under the same HIPAA rules that apply to individual covered entities. Most marketing requires patient authorization, even within an OHCA.
Send PHI securely—No portals required The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.