By: HUB’s EB Compliance Team
The Department of Health and Human Services (“HHS”) recently released two FAQs dealing with uses and disclosures of protected health information (“PHI”) by health plans. Although these FAQs do not break any new technical ground, they provide helpfully practical explanations addressing situations where an authorization is not required to permit PHI use or disclosure.
By way of background, the Health Insurance Portability and Accountability Act (“HIPAA”) generally restricts the use and disclosure of PHI, unless an individual has given his or her authorization. However, there are exceptions.
Care Coordination Disclosures
The first FAQ says that health plans can share PHI, without authorization, to coordinate care. This could happen, for example, if a participant is covered by multiple plans (such as the employer’s plan and a spouse’s plan) or switches from one plan to another while care is ongoing (such as during open enrollment). In those situations, the impacted plans are allowed to share PHI for care coordination purposes, the FAQ says.
As the FAQ points out, however, those disclosures must be the “minimum necessary” to accomplish the purpose. (The “minimum necessary” rule is a fundamental underlying regulatory principle that permeates all HIPAA activities.) Nevertheless, this is one exception that allows health plans to disclose PHI to other health plans, without first obtaining the individual’s authorization to do so.
What this does not mean is that a health plan can share PHI with any different plan (such as a disability plan) without obtaining a valid authorization. Why? The disability plan is not “coordinating” the individual’s health care. Moreover, disability plans are for income replacement, not medical care. Of course, there may be certain cases where the disability plan’s obligation to pay replacement income may need a medical plan’s PHI to validate an individual’s claim for benefits. In such a situation, the individual’s authorization would be required for the health plan to share PHI with the disability plan.
Certain Marketing Disclosures
As a general matter, PHI cannot be used for marketing purposes. This makes sense because most people would not want their personal health information secretly analyzed, traded and then used to try to sell them products. However, there are exceptions. For one, health plans are allowed to use PHI to send information about services available under the plan. This isn’t considered “marketing.” This is why employees might receive a targeted mailer from their insurance company that describes services available for a condition they have (or may be at risk for), such as diabetes or heart disease.
But what if a health insurer has PHI about an individual who they don’t currently cover? Can the insurer use that to market plans to the individual? The FAQ says “yes.” This could happen, for example, if the individual has switched plans away from that carrier. It could also happen if the individual receives care out-of-network and his or her health plan uses a local network plan to coordinate care and pay the out-of-network providers. In that case, the plan might obtain PHI about an individual it does not cover and could then use that to send information to him or her about health plans they offer.
This second FAQ likely will not have a direct effect on employers. However, it may explain why some employees receive materials about other health plan options.
Takeaways
The main point for employers is that these uses and disclosures are limited in nature. Even though these FAQs give examples of uses and disclosures where authorization is not required, employers that have access to PHI should make sure that uses and disclosures are permitted by HIPAA.
If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
The information herein is intended to be educational only and is based on information that is generally available. HUB International makes no representation or warranty as to its accuracy and is not obligated to update the information should it change in the future. The information is not intended to be legal or tax advice. Consult your attorney and/or professional advisor as to your organization’s specific circumstances and legal, tax or other requirements.