In the third in its series of HIPAA FAQs, HHS OCR outlines just when and how health plans are allowed to share protected health information under HIPAA to promote coordinated care.
The Department of Health and Human Services Office for Civil Rights released its third FAQ in a series designed to shed light on common HIPAA concerns. The latest fact sheet outlines when it’s appropriate and compliant for health plans to share protected health information for care coordination.
OCR makes it clear that under HIPAA a health plan is permitted to share PHI about patients in common with a second health plan to bolster care coordination. Covered entities are allowed to disclose PHI to another covered entity for its own healthcare operations needs, or for health operations of the entity receiving the information.
“If the disclosure of PHI is for the healthcare operations of the recipient covered entity, HIPAA requires that each entity either has or had a relationship with the individual who is the subject of the PHI being requested, [and] the PHI pertains to that relationship,” OCR officials wrote.
They’re also permitted to disclose PHI when it’s for a specific healthcare operation, or “of the definition of healthcare operations or for healthcare fraud and abuse detection or compliance…. Case management and care coordination are among the activities listed.”
For example, if one covered entity provides health insurance to a patient who receives access to the provider network of anther plan provided by a second covered entity, the first entity is permitted to disclose their PHI to the second covered entity to support care coordination – and without the patient’s authorization.
“Similarly, if an individual had been enrolled in a health plan of covered entity ‘A ‘and switches to a health plan provided by covered entity ‘B,’ covered entity ‘A’ can disclose PHI to covered entity ‘B’ for covered entity ‘B’ to coordinate the individual’s care, without the individual’s authorization,” officials wrote.
“Although such disclosures are permitted, they are subject to the minimum necessary standard,” they added.
OCR also clarified that, in some circumstances, HIPAA does permit a covered entity to use and disclose PHI to inform patients about other health plans offered by the insurer without their authorization, even if the covered entity received the PHI for a different purpose.
For example, if a covered entity receives or has a patient’s PHI, HIPAA allows the covered entity to use and disclose the data. However, OCR explained that covered entities are prohibit from using or disclosing PHI for marketing purposes without the individual’s authorization, unless the communications are subject to exemption.
“Certain communications to individuals about products or services are specifically excluded from the definition of ‘marketing,’ officials wrote. “One such exclusion… is for communications to individuals regarding replacements to, or enhancements of, existing health plans, so long as the covered entity is not receiving financial remuneration for the communications.”
“Thus, if these conditions are met, HIPAA permits a covered entity to use PHI in its possession about individuals to inform such individuals about the availability of other health plans it offers without the individuals’ authorization,” they added.
OCR went on to explain that in a situation where health plan ‘A’ discloses patient PHI to plan ‘B,’ the second health plan is permitted to send communications to the patient about their plan options that may replace the individual’s current plan without authorization. For example, a Medicare plan for an induvial reaching the age of Medicare eligibility.
The data sharing is permitted as long as the second health plan receives no remuneration for sending the communication to the patient, while complying with any applicable business associate agreements.
The health plan FAQ is the latest in a HIPAA educational series from OCR. The first explained provider liability around third-party health apps under HIPAA, and the second outlined the direct liability of business associates.
Date: July 10, 2019
Source: Health IT Security