New HIPAA guidance for health plans has been published by the Department of Health and Human Services’ Office for Civil Rights (OCR) that explains the allowable uses and disclosures of protected health information (PHI) for reasons related to care coordination and continuity of care.
The guidance, which takes the form of a FAQ, explains situations when HIPAA permits the disclosure of PHI without first needing individual authorizations from plan members.
OCR explains that HIPAA prohibits uses and disclosures of PHI for reasons other than treatment, payment, or healthcare operations, unless an authorization is received from an individual permitting a covered entity to use or share that individual’s PHI for the reason outlined in the authorization.
Disclosures of PHI related to case management, care coordination, and continuity of care are covered under the HHS definition of healthcare operations. HIPAA therefore permits the disclosure of PHI to another health plan, other HIPAA covered entity, or business associate for reasons related to case management, care coordination, and continuity of care provided certain conditions are met.
PHI can only be disclosed without first obtaining authorization from the individual if the disclosure is to an entity that already has a treatment relationship with that individual. The disclosure of PHI should be related to the treatment relationship and the disclosure must be for a reason permitted by HIPAA. The relevant sections of HIPAA text are: 45 CFR 164.502(a)(1)(ii) and 45 CFR 164.506(c)(4).
If a health plan wants to use and disclose PHI in order to inform individuals about other health plans, this could be classed as a marketing exercise. Were that to be the case, it would not be permitted to use PHI without prior authorization to do so.
However, there are exceptions to the HIPAA Rule on marketing. One of those exceptions is the use and disclosure of PHI to communicate enhancements to existing health plans or replacements for expiring health plans. Those communications can be made without prior authorization as long as the health plan is not receiving payment for those communications. OCR also confirmed that it does not matter whether the PHI was been received for another purpose, provided the above conditions are satisfied.
The relevant sections of HIPAA text are: 45 CFR 164.508(a)(3)(i), 45 CFR 164.506(c)(1) and 45 CFR 164.501
You can view the OCR FAQ here: https://www.hhs.gov/hipaa/for-professionals/faq/3014/uses-and-disclosures-for-care-coordination-and-continuity-of-care/index.html