Need a little insight into strengthening your HIPAA compliance efforts? Check out the latest FAQs about coordination of exchanging ePHI between health plans.

Working in the healthcare industry means more than treating patients. In addition to patient care, your practice’s staff also has to maintain compliance with complicated, regularly updated HIPAA regulations.

However, that’s easier said than done. 17,000 patient records are breached every day on average. What can you do?

Your first step is to do your homework. The more you know about HIPAA, the more confidently compliant you will be.

But while that sounds straightforward, the fact is that it’s a rather complicated subject. So much so that even the Office for Civil Rights at the U.S. Department of Health and Human Services has made an effort to address it.

New FAQs For HIPAA

In order to help organizations better comply with the HIPAA privacy rule, the Office for Civil Rights has issued a frequently asked questions (FAQs) document in June 2019, specifically about how the Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the HHS Secretary’s goal of promoting coordinated care.

In a nutshell, these two FAQs are intended to explain how one health plan can share PHI about individuals in common with a second health plan for care coordination purposes under the Privacy Rule.

That is, these answer the general question, “Can private information about a covered individual be shared between organizations for the purposes of following more than one plan that applies to the same individual?”

In short, the answer is yes, but it’s vital that you know the specifics as stated in the FAQs document, as there are conditions to this ability to share PHI.

The document is as follows:

  1. Does HIPAA permit one health plan to share protected health information (PHI) about individuals in common with a second health plan for care coordination purposes?

The HIPAA Privacy Rule permits a covered entity to disclose PHI to another covered entity for its own health care operations purposes, or for the health care operations of the entity receiving the information.  If the disclosure of PHI is for the health care operations of the recipient covered entity, the Privacy Rule requires that (i) each entity either has or had a relationship with the individual who is the subject of the PHI being requested, (ii) the PHI pertains to that relationship, and (iii) the disclosure is for a health care operation listed in paragraphs (1) or (2) of the definition of health care operations or for health care fraud and abuse detection or compliance.  45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4).  Case management and care coordination are among the activities listed in paragraph (1) of the definition of health care operations.  45 CFR 164.501.  For example, if Covered Entity A provides health insurance to an individual who receives access to the provider network of another plan provided by Covered Entity B, Covered Entity A is permitted to disclose an individual’s PHI to Covered Entity B for care coordination, without the individual’s authorization.  45 CFR 164.506(c)(1).  Similarly, if an individual had been enrolled in a health plan of Covered Entity A and switches to a health plan provided by Covered Entity B, Covered Entity A can disclose PHI to Covered Entity B for Covered Entity B to coordinate the individual’s care, without the individual’s authorization.

Although such disclosures are permitted, they are subject to the minimum necessary standard. 45 CFR 164.502(b).

  1. Does the HIPAA Privacy Rule permit a covered entity to use and disclose PHI to inform individuals about other available health plans that it offers, without the individuals’ authorization, if the covered entity received the PHI for a different purpose?

Yes, in certain circumstances.  If a covered entity possesses or receives PHI about an individual, it can use or disclose such PHI where, and in the manner, permitted by the Privacy Rule.  45 CFR 164.502(a) and (b).  Covered entities are prohibited from using or disclosing PHI for marketing purposes without the individual’s authorization, unless the communications are subject to an exception.  45 CFR 164.508(a)(3)(i) (exception to marketing authorization for face-to-face communications by a covered entity to an individual and for promotional gifts of nominal value).  In addition, certain communications to individuals about products or services are specifically excluded from the definition of “marketing.”  45 CFR 164.501 (definition of marketing, para (2)).  One such exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans, so long as the covered entity is not receiving financial remuneration for the communications.  45 CFR 164.501 (definition of marketing, para (2)(ii)(B)); see also 45 CFR 164.506(c)(1) and 45 CFR 164.501 (definition of “health care operations,” para (3)).  Thus, if these conditions are met, HIPAA permits a covered entity to use PHI in its possession about individuals to inform such individuals about the availability of other health plans it offers without the individuals’ authorization.  See 45 CFR 164.502(a)(1).  For example, in a situation where Plan A discloses PHI about an individual to Plan B (a separate covered entity), Plan B is permitted to send communications to the individual about Plan B’s health plan options that may replace the individual’s current plan (e.g, Medicare plans for individuals reaching the age of Medicare eligibility), without the individual’s authorization, so long as Plan B (1)  receives no remuneration for sending the communication to the individual, and (2) complies with any business associate agreement(s), where applicable.

What Do These FAQs Mean For You?

As helpful as it may be for the Office of Civil Rights to provide FAQs like these, it’s still a lot of jargon to parse, which can be difficult if you don’t have the knowledge or experience to do so.

In plainer terms, here is what the two FAQs mean for you and your HIPAA compliance:

  1. Does HIPAA permit one health plan to share protected health information (PHI) about individuals in common with a second health plan for care coordination purposes? 
    This offers guidance on health plans sharing PHI with other health plans for the goal of coordinating patient care.
    Put simply, you do not need consent or authorization of the patient to disclose PHI from one health plan to another if it is for treatment, payment, or health care operations. This is because, under the HIPAA Privacy Rule, care coordination is considered as an activity that qualifies as a health care operation.

There are a couple of restrictions:

  • Both covered entities must currently or previously have had a relationship with the individual who is the subject of the PHI.
  • The covered entity must only disclose PHI that is related to the purpose of the covered entity and individual’s relationship.
  • Covered entities must follow the minimum necessary standard when disclosing the PHI for this purpose, even if the disclosure is to another covered entity.
  1. Does the HIPAA Privacy Rule permit a covered entity to use and disclose PHI to inform individuals about other available health plans that it offers, without the individuals’ authorization, if the covered entity received the PHI for a different purpose?

This FAQ offers guidance in relation to the marketing of other health plans. That is, whether a covered entity can use and disclose PHI without the individual’s authorization to inform the individual of other available health plans.
In simple terms, the use of PHI by a covered entity to send communication material about its own plan(s) to the subject of the PHI is permitted under specific circumstances.
While covered entities cannot use PHI for marketing purposes without the individual’s authorization, it is permitted if the marketing efforts are conducted using face-to-face communication from the covered entity to the individual, or it is in the form of a gift of nominal value (e.g. a pen with a hospital’s name).
There are a few practices that are explicitly excluded from the HIPAA Privacy Rule definition of marketing, such as the communication to an individual about replacements or enhancements of the individual’s current health plan. This is excluded only in the event that the covered entity does not receive financial remuneration for the communication.
To that end, a covered entity is permitted to use PHI that it possesses to market to the patient about other health plans without their consent or authorization, so long as the covered entity is not receiving remuneration for that communication.

Does that clear things up?

Maybe – but paraphrasing info from the Office of Civil Rights will only go so far in supporting your HIPAA compliance efforts. If you’re still unsure about what these FAQs, and other particulars of HIPAA mean for you, then you should seek expert support from Kraft Technology Group.

Like this blog? Check out the following articles to learn more:

Using Faceapp Could Be Risky – Find Out Why Before You Do

15 Tips For Protecting Your Privacy on Windows 10

Protect Your Medical Practice Against Cyber Attack