Nixon Peabody LLP

Trending Topics

    Practices

    View All

    Industries

    View All

    Value-Added Services

    View All

    Article

    OCR releases new set of FAQs to address health plans’ use of PHI for care coordination and continuity of care

    July 15, 2019

    By Jéna Grady

    On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.

    On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.

    The first FAQ addresses care coordination and care management disclosures between two health plans. OCR emphasized that both these activities are included in the definition of health care operations as provided by the HIPAA Privacy Rule. Disclosures for health care operations purposes must be based on the two entities having a relationship with the individual who is the subject of the requested PHI and the PHI pertains to that relationship. Therefore, OCR noted the Privacy Rule permits one health plan to share PHI about an individual in common with a second health plan for care coordination purposes without the individual’s authorization. In terms of an individual switching health plans, OCR provided that the Privacy Rule would also allow an individual’s previous health plan to disclose PHI to the new health plan without the individual’s authorization as well.

    The second FAQ addresses health plans using and disclosing PHI to inform individuals about other available health plans that it offers without the individual’s authorization. Generally, health plans are prohibited from using or disclosing PHI for marketing purposes without an individual’s authorization. There are, however, certain exceptions to the marketing authorization requirement and also there are specific activities that are not included in the definition of marketing. OCR provided that one exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans so long as the health plan is not receiving financial remuneration for the communications. To demonstrate this exclusion, OCR provided that when a “Plan A” discloses PHI about an individual to “Plan B,” which is a separate covered entity, Plan B is allowed to send communications to the individual regarding Plan B’s health plan options to replace the individual’s current plan (e.g., discussion of Medicare plans when reaching age of eligibility) so long as there is no remuneration received by Plan B for sending this communication to the individual and such disclosure complies with any applicable business associate agreement(s).

    The OCR FAQ document can be found here.

    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Stay informed of the latest legal news, alerts, and business trends.Subscribe