September 24, 2021

Volume XI, Number 267

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

OCR Releases New HIPAA FAQs on Care Coordination by Health Plans

On June 26, 2019, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released Frequently Asked Questions (FAQs) on how HIPAA allows health plans to share protected health information (PHI). The FAQs pose two questions: (1) whether HIPAA permits one health plan to share PHI about individuals in common with a second health plan for care coordination purposes; and (2) whether HIPAA permits health plans to use and disclose PHI to inform individuals about other health plans that it offers, without the individuals’ authorization, if the health plan received the PHI for a different purpose. The former answer is an affirmative “yes,” and the latter is a qualified answer of “yes, in certain circumstances.”

The FAQs explain that HIPAA Privacy Rule permits health plans to disclose PHI of common patients to promote case management and health care operations. For instance, if a patient switches health plans, the former health plan can transfer the PHI to the new health plan for care continuity purposes. Note, however, that this activity is still subject to the “minimum necessary” standard set forth in 45 CFR 164.502(b). In addition, the FAQs remind covered entities that they are generally prohibited from disclosing or using PHI for marketing purposes, unless an exception applies or the desired activity or action is excluded from the definition of “marketing” under the Privacy Rule. One example of an activity that falls outside the scope of “marketing” is that covered entities are permitted to communicate with individuals to address replacements to, or enhancements of, existing health plans, with the understanding that the covered entity shall not receive financial remuneration for the outreach and communication to that certain individual.

Covered entities should rely on these FAQs to help drive care coordination and bring continuity of care to a higher level. It is important to remember, however, that though certain activity is permissible under the HIPAA Privacy Rule, all activity should still comply with any and all business associate agreements to which the covered entity is a party.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 192
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...

202-434-7324
Advertisement
Advertisement
Advertisement