The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released two new Frequently Asked Questions (FAQ) on permitted uses and disclosures under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The two FAQs relate to a health plan’s use of protected health information (PHI) for the purposes of care coordination and continuity of care.
Exchange of PHI between Health Plans for Care Coordination:
The first FAQ provides guidance on health plans sharing PHI with other health plans to coordinate patient care. OCR reiterates that covered entities, including health plans, may disclose PHI to another covered entity for treatment, payment, or health care operations without the consent or authorization of the patient. Under the HIPAA Privacy Rule, care coordination is considered as an activity that qualifies as a health care operation. However, there are a few restrictions on the exchange of PHI for care coordination.
First, both covered entities must currently or previously have had a relationship with the individual who is the subject of the PHI. Second, the covered entity must only disclose PHI that is related to the purpose of the covered entity and individual’s relationship. Finally, covered entities must follow the minimum necessary standard when disclosing the PHI for this purpose, even if the disclosure is to another covered entity.
Use of PHI by Health Plans to Provide Information on Other Plans:
The second FAQ addresses whether a covered entity can use and disclose PHI without the individual’s authorization to inform the individual of other available health plans, even if the covered entity received the PHI for a different purpose. For example, a health plan that has received PHI from another health plan can use that PHI to send communication material about its own plan(s) to the subject of the PHI.
OCR explains that such disclosure is permitted in certain circumstances under the HIPAA Privacy Rule. Generally, covered entities cannot use PHI for marketing purposes without the individual’s authorization, unless the marketing is conducted using face-to-face communication from the covered entity to the individual, or it is in the form of a gift of nominal value (e.g. a pen with a hospital’s name).
However, some practices are explicitly excluded from the HIPAA Privacy Rule definition of marketing. One of those practices includes the communication to an individual about replacements or enhancements of the individual’s current health plan, so long as the covered entity does not receive financial remuneration for the communication.
Therefore, a covered entity may use PHI in its possession to convey information about other health plans to the individual without authorization, if the covered entity is not receiving remuneration for that communication and it complies with business associate agreements if applicable.
The new FAQs are available at: