OCR Releases New HIPAA FAQs on Care Coordination by Health Plans

Mintz - Health Care Viewpoints

Mintz - Health Care Viewpoints

On June 26, 2019, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released Frequently Asked Questions (FAQs) on how HIPAA allows health plans to share protected health information (PHI). The FAQs pose two questions: (1) whether HIPAA permits one health plan to share PHI about individuals in common with a second health plan for care coordination purposes; and (2) whether HIPAA permits health plans to use and disclose PHI to inform individuals about other health plans that it offers, without the individuals’ authorization, if the health plan received the PHI for a different purpose. The former answer is an affirmative “yes,” and the latter is a qualified answer of “yes, in certain circumstances.”

The FAQs explain that HIPAA Privacy Rule permit health plans to disclose PHI of common patients to promote case management and health care operations. For instance, if a patient switches health plans, the former health plan can transfer the PHI to the new health plan for care continuity purposes. Note, however, that this activity is still subject to the “minimum necessary” standard set forth in 45 CFR 164.502(b). In addition, the FAQs remind  covered entities that they are generally prohibited from disclosing or using PHI for marketing purposes, unless an exception applies or the desired activity or action is excluded from the definition of “marketing” under the Privacy Rule. One example of an activity that falls outside the scope of “marketing” is that covered entities are permitted to communicate with individuals to address replacements to, or enhancements of, existing health plans, with the understanding that the covered entity shall not receive financial remuneration for the outreach and communication to that certain individual.

Covered entities should rely on these FAQs to help drive care coordination and bring continuity of care to a higher level. It is important to remember, however, that though certain activity is permissible under the HIPAA Privacy Rule, all activity should still comply with any and all business associate agreements to which the covered entity is a party.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Health Care Viewpoints | Attorney Advertising

Written by:

Mintz - Health Care Viewpoints

Mintz - Health Care Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.