The Department of Health and Human Services’ Office for Civil Rights published new HIPAA guidance for health plans about the proper sharing of protected health information to assist patient care coordination and continuity of patient care.
The guidance is written in the format of an FAQ. It answers two questions that health plans frequently ask:
#1 Can PHI be disclosed to another health plan for the purpose of patient care coordination?
The HIPAA Privacy Rule permits the use and disclosure of PHI for healthcare procedures, thus it is allowed to disclose PHI to another health plan or covered entity if it is necessary for the entity to proceed with the healthcare procedures. PHI may likewise be disclosed to a health plan for the purpose of a recipient’s healthcare operations as long as these conditions are satisfied: The two entities have or had a treatment relationship with the person, the disclosure relates to that treatment relationship, and the HIPAA permits the healthcare operation as per 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4).
The permitted ‘healthcare operations’ by HIPAA include case management and care coordination, so PHI disclosure is allowed even without patient authorization. However, any disclosure must be restricted to the minimum allowed data.
#2 Can a health plan use and disclose PHI to notify a person concerning other offered health plans, without first acquiring authorization and Is this allowed if PHI was acquired for a different reason?
PHI uses and disclosures for marketing reasons is typically not allowed without getting authorization. Using PHI to send a person offers about a different health plan may be viewed as marketing and therefore is allowed only with authorization.
Nonetheless, there are exclusions to marketing rule. Face-to-face marketing communications are permitted – 5 CFR 164.508(a)(3)(i). HIPAA also allows marketing communications concerning replacements to, or improvements of, current health plans, as long as the covered entity is not given monetary remuneration for the communications. (45 CFR 164.506(c)(1) and 45 CFR 164.501). It is likewise allowed to use PHI that was acquired for a different purpose when the above conditions are satisfied.
The new OCR FAQ can be read here.