OCR Clarifies Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care
The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care.
The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans:
Can PHI be disclosed to another health plan for care coordination purposes?
OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))
Case management and care coordination are included in permitted ‘healthcare operations,’ so they are permitted without patient authorization, but any disclosures should be limited to the minimum necessary information.
Can a health plan use and disclose PHI to inform individuals about other available health plans, without first obtaining authorization and Is this possible if PHI was received for another purpose?
Uses and disclosures of PHI for marketing purposes is generally not permitted without prior authorization. Using PHI for the purposes of offering an individual a different health plan could be seen to be marketing and would therefore only be permitted with prior authorization.
However, there are exceptions to marketing rule. Marketing communications are permitted face to face – See 45 CFR 164.508(a)(3)(i) – and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are met.