How health plans can share PHI for care coordination

Effective communication among multiple healthcare providers is a necessary step in care coordination. Therefore, health plans must exercise caution when sharing patient data to minimize the risks of data mishandling and potential breaches. 

Why are health plans subject to HIPAA?

HIPAA applies to health plans because they are considered covered entities. As defined by HIPAA, covered entities are individuals or organizations directly involved in handling and managing individuals' protected health information (PHI) within the healthcare system. Health plans, including health insurance companies, HMOs, employer-sponsored health plans, and government healthcare programs like Medicare and Medicaid, fall into this category.

What is the role of health plans in protecting PHI?

Health plans handle vast amounts of sensitive PHI, including medical claims and enrollment data. Their role involves implementing policies and procedures to ensure the confidentiality, integrity, and availability of this information. This includes restricting unauthorized access, protecting against data breaches, and facilitating secure data sharing for authorized healthcare purposes. By fulfilling their responsibilities as covered entities, health plans help maintain patient trust in the healthcare system.

Sharing PHI and care coordination

Health plans need to share patients' PHI for continuity of care because it ensures that individuals receive consistent, well-coordinated healthcare. Health plans often serve as intermediaries between patients and various healthcare providers. Sharing PHI among these entities is necessary to provide a complete picture of a patient's medical history, diagnoses, treatments, and medications. This enables healthcare professionals to make informed decisions, avoid duplicative tests or treatments, and tailor care plans to individual needs. Without PHI sharing, there's a risk of fragmented care, medical errors, and delayed treatment, which can disrupt patient care.

HIPAA compliance standards health plans should follow

Minimum Necessary Standard: Health plans should only disclose the minimum amount of PHI necessary for the intended purpose of care coordination. This ensures that sensitive information is not unnecessarily shared.

Written Business Associate Agreements: When engaging third-party entities to assist with care coordination, health plans should establish written business associate agreements that outline the responsibilities and requirements for protecting PHI.

Use Continuity of Care Documents (CCDs): Leverage the standardized CCD format to transmit patient information securely between providers. CCDs include data for care coordination, such as demographics, medical history, medications, allergies, diagnoses, lab results, and more. Ensure that CCDs are shared electronically through secure channels.

Patient authorization: While HIPAA permits sharing PHI for care coordination without patient authorization, health plans should obtain patient consent or authorization when required by state law or if the individual requests it.

Secure communication: When electronically transmitting PHI for care coordination, health plans should use secure methods, such as HIPAA compliant email or secure file transfer, to protect data during transmission.

Data retention and disposal: Develop policies for the secure retention and disposal of PHI. Ensure that electronic and physical records containing PHI are securely managed and disposed of when no longer needed.

See also: Continuity of care

Best practices for care coordination communication

When engaging in care coordination communication under HIPAA's TPO exception, healthcare entities should adhere to the following best practices:

1. Transparency: Communicate openly with patients about the purpose and scope of the communication, ensuring they understand how their information will be used.
2. Security: Employ robust security measures to protect patient data during transmission and storage, adhering to HIPAA's data security standards.
3. Relevance: Share only the information necessary for effective care coordination, ensuring that the exchanged data directly contributes to the patient's well-being.
4. Patient-centeredness: Prioritize the patient's preferences and autonomy, allowing them to voice their communication preferences and opt out if desired.
5. Limited access: Restrict access to patient information to authorized personnel directly involved in the patient's care to minimize the risk of data breaches.

Case management and care coordination emails are tools for delivering holistic care. The underpinning framework of HIPAA's TPO exception recognizes the unique demands of patient care, allowing healthcare professionals to share pertinent information without explicit opt-in consent.

See also: Do you need opt-in for care coordination emails?