NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
OCR releases new set of FAQs to address health plans’ use of PHI for care coordination and continuity of care

On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.

The first FAQ addresses care coordination and care management disclosures between two health plans. OCR emphasized that both these activities are included in the definition of health care operations as provided by the HIPAA Privacy Rule. Disclosures for health care operations purposes must be based on the two entities having a relationship with the individual who is the subject of the requested PHI and the PHI pertains to that relationship. Therefore, OCR noted the Privacy Rule permits one health plan to share PHI about an individual in common with a second health plan for care coordination purposes without the individual’s authorization. In terms of an individual switching health plans, OCR provided that the Privacy Rule would also allow an individual’s previous health plan to disclose PHI to the new health plan without the individual’s authorization as well.

The second FAQ addresses health plans using and disclosing PHI to inform individuals about other available health plans that it offers without the individual’s authorization. Generally, health plans are prohibited from using or disclosing PHI for marketing purposes without an individual’s authorization. There are, however, certain exceptions to the marketing authorization requirement and also there are specific activities that are not included in the definition of marketing. OCR provided that one exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans so long as the health plan is not receiving financial remuneration for the communications. To demonstrate this exclusion, OCR provided that when a “Plan A” discloses PHI about an individual to “Plan B,” which is a separate covered entity, Plan B is allowed to send communications to the individual regarding Plan B’s health plan options to replace the individual’s current plan (e.g., discussion of Medicare plans when reaching age of eligibility) so long as there is no remuneration received by Plan B for sending this communication to the individual and such disclosure complies with any applicable business associate agreement(s).

The OCR FAQ document can be found here.

Comments

There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
 
* indicates a required field

Title


Body *


Date *

Attachments
 

Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Categories
Sort by AttachmentsParentCategory