November 30, 2020

Volume X, Number 335


OCR Releases New HIPAA FAQs on Care Coordination by Health Plans

On June 26, 2019, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released Frequently Asked Questions (FAQs) on how HIPAA allows health plans to share protected health information (PHI). The FAQs pose two questions: (1) whether HIPAA permits one health plan to share PHI about individuals in common with a second health plan for care coordination purposes; and (2) whether HIPAA permits health plans to use and disclose PHI to inform individuals about other health plans that it offers, without the individuals’ authorization, if the health plan received the PHI for a different purpose. The former answer is an affirmative “yes,” and the latter is a qualified answer of “yes, in certain circumstances.”

The FAQs explain that HIPAA Privacy Rule permits health plans to disclose PHI of common patients to promote case management and health care operations. For instance, if a patient switches health plans, the former health plan can transfer the PHI to the new health plan for care continuity purposes. Note, however, that this activity is still subject to the “minimum necessary” standard set forth in 45 CFR 164.502(b). In addition, the FAQs remind covered entities that they are generally prohibited from disclosing or using PHI for marketing purposes, unless an exception applies or the desired activity or action is excluded from the definition of “marketing” under the Privacy Rule. One example of an activity that falls outside the scope of “marketing” is that covered entities are permitted to communicate with individuals to address replacements to, or enhancements of, existing health plans, with the understanding that the covered entity shall not receive financial remuneration for the outreach and communication to that certain individual.

Covered entities should rely on these FAQs to help drive care coordination and bring continuity of care to a higher level. It is important to remember, however, that though certain activity is permissible under the HIPAA Privacy Rule, all activity should still comply with any and all business associate agreements to which the covered entity is a party.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 192



About this Author

Kristen A. Marotta Associate  Hospitals & Health Systems Physician Organizations

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

Prior to joining Mintz, Kristen was an associate...