The Wagner Law Group | Est. 1996

Sophisticated Legal Solutions And Boutique-Style Service

HHS Guidance on When One Health Plan May Share PHI of Individuals with Another Health Plan

On Behalf of | Jul 2, 2019 |

HHS has issued FAQs that provide guidance on the circumstances under which HIPAA’s Privacy Rule allows for one health plan to share protected health information (“PHI”) about individuals who “have a relationship” with a second health plan.

Background. HIPAA’s Privacy Rule allows a covered entity (“CE”), including a health plan, to disclose PHI to another CE for either: (i) the health plan’s own operations purposes; or (ii) the health care operations of the CE receiving the information.
If the PHI disclosure is for the recipient CE’s health care operations, the Privacy Rule requires that: (i) each CE have a relationship with the individual; (ii) the PHI pertains to that relationship; and (iii) the disclosure is for specified health care operations or for health care fraud and abuse compliance or detection.

NOTE: HIPAA’s Privacy Rule definition of health care operations includes case management and care coordination activities.

A CE can use or disclose PHI as permitted by HIPAA’s Privacy Rule, but it cannot use PHI for marketing purposes without an individual’s prior authorization, unless the communications are subject to an exception. However, the Privacy Rule excludes from its definition of marketing certain communications to individuals about products or services, including replacements to (or enhancements of) existing health plans, so long as the CE does not receive compensation for the communications.

HHS FAQs. Specifically, HHS’ FAQs:

  1. Explain when and how one health plan can share PHI about individuals who have a relationship with a second health plan for care coordination purposes; and
  2. Clarify that, under certain circumstances, a health plan can use an individual’s PHI to inform the individual about a replacement for health insurance, even if the plan received the PHI for a different purpose.

EXAMPLE: A health plan could use PHI to inform customers reaching the age of Medicare eligibility of the availability of Medicare Advantage plans for continuity of care purposes without seeking separate authorization from the individuals for the communication.

The FAQs can be found by clicking here.