October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

OCR Releases New HIPAA FAQs on Care Coordination by Health Plans

On June 26, 2019, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released Frequently Asked Questions (FAQs) on how HIPAA allows health plans to share protected health information (PHI). The FAQs pose two questions: (1) whether HIPAA permits one health plan to share PHI about individuals in common with a second health plan for care coordination purposes; and (2) whether HIPAA permits health plans to use and disclose PHI to inform individuals about other health plans that it offers, without the individuals’ authorization, if the health plan received the PHI for a different purpose. The former answer is an affirmative “yes,” and the latter is a qualified answer of “yes, in certain circumstances.”

The FAQs explain that HIPAA Privacy Rule permits health plans to disclose PHI of common patients to promote case management and health care operations. For instance, if a patient switches health plans, the former health plan can transfer the PHI to the new health plan for care continuity purposes. Note, however, that this activity is still subject to the “minimum necessary” standard set forth in 45 CFR 164.502(b). In addition, the FAQs remind covered entities that they are generally prohibited from disclosing or using PHI for marketing purposes, unless an exception applies or the desired activity or action is excluded from the definition of “marketing” under the Privacy Rule. One example of an activity that falls outside the scope of “marketing” is that covered entities are permitted to communicate with individuals to address replacements to, or enhancements of, existing health plans, with the understanding that the covered entity shall not receive financial remuneration for the outreach and communication to that certain individual.

Covered entities should rely on these FAQs to help drive care coordination and bring continuity of care to a higher level. It is important to remember, however, that though certain activity is permissible under the HIPAA Privacy Rule, all activity should still comply with any and all business associate agreements to which the covered entity is a party.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

 

Prior to joining Mintz...

212-692-6246