The Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance for health plans on how protected health information can be sent to support care coordination and continuity of care.
The new material, which has been published in an FAQ format, addresses two questions commonly asked by health plans:
Can PHI be shared with another health plan for care coordination reasons?
OCR has said that the HIPAA Privacy Rule allows PHI to be used and shared for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is required for the entity’s own healthcare operations. PHI can also be sent to another health plan for the recipient’s healthcare operations provided the following conditions are in place: Both entities have or had a relationship with the individual, the disclosure relates to that relationship, and the healthcare operation is one allowable under HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))
Case management and care coordination are incorporated in permitted ‘healthcare operations,’ so they are allowable without patient authorization, but any disclosures should be kept to the minimum necessary information.
Can a health plan use and share PHI to inform subscriber regarding other available health plans, without first being given authorization and is this allowable if PHI was given for another purpose?
Uses and disclosures of PHI for marketing reasons is generally not permitted without first receiving authorization. Using PHI for the purposes of offering a subscriber a different health plan could be seen to be marketing and would therefore only be allowable without prior authorization.
However, there are some exceptions in place to the marketing rule. Marketing communications are allowed face to face – See 45 CFR 164.508(a)(3)(i) – and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are in place.