By Pension and Benefits Editorial Staff
Under certain circumstances, a health plan can share protected health information (PHI) about individuals in common with a second health plan for case coordination purposes, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. HHS explained the HIPAA rules in a press release and related frequently asked questions (FAQ) document clarifying how and when the Privacy Rule permits PHI to be shared. Additionally, the Privacy Rule allows, under certain circumstances, the use of PHI received for other purposes by a covered entity, to communicate to an individual about other available health plans.
Additionally, the FAQ explained under what circumstances a covered entity may use PHI in its possession to use and disclose that PHI for purposes of providing an individual with information about alternative available health plans. According to the FAQ, the HIPAA Privacy Rule allows a covered entity to disclose, without the individual’s authorization, PHI to another covered entity under two scenarios. Disclosure is permitted by a covered entity for its own health care operations or for the health care operations of the receiving entity.
In the latter case, the Privacy Rule sets out several requirements. First, each covered entity must have or have had a relationship with the person whose PHI is being sought and second, that PHI must relate to the relationship. Third, the disclosure must relate to a health care operation or for health care fraud and abuse detection or compliance, as defined respectively in 45 C.F.R. 164.502(a)(1)(ii) and 45 C.F.R. 164.506(c)(4). Drawing on 45 C.F.R. 64.501 the FAQ explained that case management and care coordination fall under the definition of health care operations. However, according to HHS, "[a]lthough such disclosures are permitted, they are subject to the minimum necessary standard," as set forth in 45 C.F.R. 164.502(b).
Additionally, under certain circumstances and without the individual’s authorization, a covered entity can use or disclose PHI for purposes of communicating about other available health plans, when the covered entity had received the PHI for other purposes, pursuant to and in the manner provided by the Privacy Rule.
However, covered entities cannot, according to the HHS FAQ, use or disclose PHI for marketing purposes in the absence of an individual’s authorization, unless the specific communications are subject to an exception as delineated in 45 C.F.R. 164.508(a)(3)(i). As spelled out in 45 C.F.R. 164.501(2)(ii)(B), certain communications relating to products or services are specifically excluded from the definition of marketing. If the conditions spelled out in the regulations are met, HIPAA provides that a covered entity may use PHI, without the individual’s authorization, to inform the respective individuals about the availability of other health plans. 45 CFR 164.502(a)(1). However, in this instance, the covered entity may not receive remuneration for the communication and must comply with "any business associate agreement(s), where applicable."
Interested in submitting an article?
Submit your information to us today!Learn More