In
the third installment of ONC’s four-part blog series on HIPAA, care
coordination, care planning, and case management are in focus. Blog post Part
3: “The
Real HIPAA: Care Coordination, Care Planning, and Case Management Examples”
gives additional practical examples of exchange for Treatment and exchange for
Health Care Operations. The following examples are taken directly from the ONC’s
post.
Example 1: Care
Coordination – 45
CFR 164.506(c)(2)
A
hospital is preparing to discharge a patient who will need ongoing,
facility-based care. The inpatient facility needs to identify a rehabilitation
facility to accept the patient. Prospective facilities will need Protected
Health Information (PHI) about the patient to determine whether they can
provide the right care.
The
current hospital may disclose the relevant PHI to prospective facilities
without first obtaining the patient’s written authorization. The disclosing
hospital may use Certified EHR Technology, so long as the disclosure is done in
a manner that meets the HIPAA Security Rule.
This
disclosure is a treatment disclosure (in anticipation of future treatment of
the patient by the rehabilitation facility) and thus, may be carried out under
45 CFR 164.506(c)(2).
But,
you might wonder, because the PHI came from the inpatient facility, will the
inpatient facility be held responsible under HIPAA for what the rehabilitation
facilities do with the PHI once they have received it in a permissible way
under HIPAA?
Under
HIPAA, the inpatient facility is responsible only for complying with HIPAA in
disclosing the PHI to the rehabilitation facility in a permitted and secure
manner. This includes sending the PHI securely and taking reasonable steps to
send it to the right address. After the rehabilitation facility has received
the PHI in accordance with HIPAA, the rehabilitation facility, as a covered
entity itself, is responsible for safeguarding the PHI and otherwise complying
with HIPAA, including with respect to any breaches that occur. The
responsibility of the sending provider was to send it securely to the right
address; the sending provider is not responsible for its security once received
by another covered entity or the recipient covered entity’s business associate
(BA).
Example 2: Care Planning
By a Provider – 45
CFR 164.506(c)(1) and (c)(2)
A
provider wants to ensure that her patients have a comprehensive care plan after
they are discharged from the hospital. The provider hires a care planning
company (i.e., its BA) to develop these plans for her patients.
To
develop the plan, the care planning company requests pertinent PHI about each
patient from the patients’ other providers, such as the hospitals to which the
patients have been admitted for the same or similar medical care and the
patients’ health plans. Each of these covered entities may disclose the
relevant PHI for care planning purposes using Certified EHR Technology.
Disclosure of electronic PHI by such technology or other electronic method
requires HIPAA
Security Rule compliance.
In
this scenario, a business
associate agreement (BAA) is only required between the covered entity that
hires the care planning company and that company. The covered entities who
permissibly disclose PHI in this scenario may
do so directly to the provider’s care planning company for the provider’s
care planning purposes (without the need to execute their own BAA) just as they
could share this information directly with the provider. Electronic PHI disclosed
in this scenario, for example using Certified EHR Technology, must be disclosed
consistent with the HIPAA Security Rule.
Example 3: Case
Management by a Payer – 45
CFR 164.506(c)(1) and (c)(4)
A
health plan hires a health care management company to provide semi-monthly
nutritional advice and coaching to their diabetic and pre-diabetic members. The
care management company is a BA of the health plan. In order to provide
appropriate nutritional advice and coaching, the health care management company
needs additional information about these individuals to ensure the advice is
consistent with the treatment they receive from their providers.
The
health care management company may query the relevant providers to obtain
information that could impact the nutritional advice. Providers may respond to
the query using Certified EHR Technology and may disclose PHI necessary for the
case management purpose for which the nutritional coach was hired by the health
plan. Disclosure of electronic PHI by Certified EHR Technology or other method
requires HIPAA Security Rule compliance.
In
this scenario, the disclosures by the providers to the nutritional coach are
for the Health Care Operations (“population-based activities relating to
improving health or reducing costs” and “case management”) of the health plan,
and therefore are Permissible Disclosures under HIPAA. Likewise, a BAA is only
required between the health plan covered entity and the health care management
company it hired. The providers may make permissible disclosures of PHI to that
company without a BAA between the discloser and that company.
Once
again, the
providers sharing PHI with the health care management company hired by the
health plan are not responsible under HIPAA for what that company or the health
plan subsequently does with the information once it has been sent for a
permissible reason and in a secure manner.