OCR Releases New HIPAA FAQs on Care Coordination by Health Plans
On June 26, 2019, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released Frequently Asked Questions (FAQs) on how HIPAA allows health plans to share protected health information (PHI). The FAQs pose two questions: (1) whether HIPAA permits one health plan to share PHI about individuals in common with a second health plan for care coordination purposes; and (2) whether HIPAA permits health plans to use and disclose PHI to inform individuals about other health plans that it offers, without the individuals’ authorization, if the health plan received the PHI for a different purpose. The former answer is an affirmative “yes,” and the latter is a qualified answer of “yes, in certain circumstances.”
The FAQs explain that the HIPAA Privacy Rule permit health plans to disclose PHI of common patients to promote case management and health care operations. For instance, if a patient switches health plans, the former health plan can transfer the PHI to the new health plan for care continuity purposes. Note, however, that this activity is still subject to the “minimum necessary” standard set forth in 45 CFR 164.502(b). In addition, the FAQs remind covered entities that they are generally prohibited from disclosing or using PHI for marketing purposes, unless an exception applies or the desired activity or action is excluded from the definition of “marketing” under the Privacy Rule. One example of an activity that falls outside the scope of “marketing” is that covered entities are permitted to communicate with individuals to address replacements to, or enhancements of, existing health plans, with the understanding that the covered entity shall not receive financial remuneration for the outreach and communication to that certain individual.
Covered entities should rely on these FAQs to help drive care coordination and bring continuity of care to a higher level. It is important to remember, however, that though certain activity is permissible under the HIPAA Privacy Rule, all activity should still comply with any and all business associate agreements to which the covered entity is a party.