How health plans can share PHI for care coordination

Health plans must participate in care coordination to improve patient outcomes, protect patient information, and maintain an efficient line of communication throughout the care process. Methods of communication like HIPAA complaint email and efficient protocols surrounding the process allow for the secure sharing of this information.  

Why are health plans subject to HIPAA?

HIPAA applies to health plans because they are considered covered entities. Covered entities, as defined by HIPAA, are individuals or organizations that are directly involved in handling and managing individuals' protected health information (PHI) within the healthcare system. CMS guidance provide, “For HIPAA purposes, health plans include:

• Health insurance companies
• HMOs, or health maintenance organizations
• Employer-sponsored health plans
• Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs”

What is the role of health plans in protecting PHI?

Health plans handle vast amounts of sensitive PHI, including medical claims and enrollment data. Their role involves implementing policies and procedures to ensure the confidentiality, integrity, and availability of this information. This includes restricting unauthorized access, protecting against data breaches, and facilitating secure data sharing for authorized healthcare purposes. By fulfilling their responsibilities as covered entities, health plans help maintain patient trust in the healthcare system.

Sharing PHI and care coordination

Health plans need to share patients' PHI for continuity of care because it ensures that individuals receive consistent, well-coordinated healthcare. Health plans often serve as intermediaries between patients and various healthcare providers. Sharing PHI among these entities is necessary to provide a complete picture of a patient's medical history, diagnoses, treatments, and medications. This enables healthcare professionals to make informed decisions, avoid duplicative tests or treatments, and tailor care plans to individual needs. Without PHI sharing, there's a risk of fragmented care, medical errors, and delayed treatment, which can disrupt patient care.

HIPAA compliance standards health plans should follow

Minimum Necessary Standard: Health plans should only disclose the minimum amount of PHI necessary for the intended purpose of care coordination. This ensures that sensitive information is not unnecessarily shared.

Written Business Associate Agreements: When engaging third-party entities to assist with care coordination, health plans should establish written business associate agreements that outline the responsibilities and requirements for protecting PHI.

Use Continuity of Care Documents (CCDs): Leverage the standardized CCD format to transmit patient information securely between providers. CCDs include data for care coordination, such as demographics, medical history, medications, allergies, diagnoses, lab results, and more. Ensure that CCDs are shared electronically through secure channels.

Patient authorization: While HIPAA permits sharing PHI for care coordination without patient authorization, health plans should obtain patient consent or authorization when required by state law or if the individual requests it.

Secure communication: When electronically transmitting PHI for care coordination, health plans should use secure methods, such as HIPAA compliant email or secure file transfer, to protect data during transmission.

Data retention and disposal: Develop policies for the secure retention and disposal of PHI. Ensure that electronic and physical records containing PHI are securely managed and disposed of when no longer needed.

See also: Continuity of care

Best practices for care coordination communication

When engaging in care coordination communication under HIPAA's TPO exception, healthcare entities should adhere to the following best practices:

1. Transparency: Communicate openly with patients about the purpose and scope of the communication, ensuring they understand how their information will be used.
2. Security: Employ robust security measures to protect patient data during transmission and storage, adhering to HIPAA's data security standards.
3. Relevance: Share only the information necessary for effective care coordination, ensuring that the exchanged data directly contributes to the patient's well-being.
4. Patient-centeredness: Prioritize the patient's preferences and autonomy, allowing them to voice their communication preferences and opt out if desired.
5. Limited access: Restrict access to patient information to authorized personnel directly involved in the patient's care to minimize the risk of data breaches.

Case management and care coordination emails are tools for delivering holistic care. The underpinning framework of HIPAA's TPO exception recognizes the unique demands of patient care, allowing healthcare professionals to share pertinent information without explicit opt-in consent.

See also: Do you need opt-in for care coordination emails?

FAQs

What is a business associate? 

A business associate is a person or entity that performs certain functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI. 

What is PHI?

PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.

What is HIPAA’s TPO exception?

HIPAA's TPO exception allows covered entities to use or disclose PHI without patient authorization for treatment, payment, and healthcare operations purposes.