July 09, 2019
On June 26, 2019, HHS posted two FAQs to its website related to the use and disclosure of protected health information (PHI). The first answers whether one health plan is permitted to share PHI with a second health plan for care coordination purposes without the individual’s authorization. As background, the HIPAA privacy rules permit a covered entity (including a health plan) to disclose PHI for its own health care operation purposes. HHS clarified that disclosing PHI for those purposes includes a health plan disclosing PHI of a former participant to a new health plan for care coordination purposes.
The second question answers whether a covered entity may use a participant’s PHI to inform them about other available health plan options that it offers without the individual’s authorization. The HIPAA privacy rules prohibit using PHI for marketing purposes. However, there is an exception for communications to individuals regarding replacements to, or enhancements of, existing health plans, so long as the covered entity is not receiving financial remuneration for the communications. Thus, an insurer is permitted to market its other health plan options to participants as long as they do not receive financial compensation for sending the communication and they are in compliance with any business associate agreement in place.
While these FAQs do not present a new compliance requirement, they do provide additional clarification on how HIPAA applies to certain situations. Covered entities should familiarize themselves with this guidance.
HHS, HIPAA Privacy FAQs »