In the third installment of ONC’s four-part blog series on HIPAA, care coordination, care planning, and case management are in focus. Blog post Part 3: “The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples” gives additional practical examples of exchange for Treatment and exchange for Health Care Operations. The following examples are taken directly from the ONC’s post.
Example 1: Care Coordination – 45 CFR 164.506(c)(2)
A hospital is preparing to discharge a patient who will need ongoing, facility-based care. The inpatient facility needs to identify a rehabilitation facility to accept the patient. Prospective facilities will need Protected Health Information (PHI) about the patient to determine whether they can provide the right care.
The current hospital may disclose the relevant PHI to prospective facilities without first obtaining the patient’s written authorization. The disclosing hospital may use Certified EHR Technology, so long as the disclosure is done in a manner that meets the HIPAA Security Rule.
This disclosure is a treatment disclosure (in anticipation of future treatment of the patient by the rehabilitation facility) and thus, may be carried out under 45 CFR 164.506(c)(2).
But, you might wonder, because the PHI came from the inpatient facility, will the inpatient facility be held responsible under HIPAA for what the rehabilitation facilities do with the PHI once they have received it in a permissible way under HIPAA?
Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner. This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).
Example 2: Care Planning By a Provider – 45 CFR 164.506(c)(1) and (c)(2)
A provider wants to ensure that her patients have a comprehensive care plan after they are discharged from the hospital. The provider hires a care planning company (i.e., its BA) to develop these plans for her patients.
To develop the plan, the care planning company requests pertinent PHI about each patient from the patients’ other providers, such as the hospitals to which the patients have been admitted for the same or similar medical care and the patients’ health plans. Each of these covered entities may disclose the relevant PHI for care planning purposes using Certified EHR Technology. Disclosure of electronic PHI by such technology or other electronic method requires HIPAA Security Rule compliance.
In this scenario, a business associate agreement (BAA) is only required between the covered entity that hires the care planning company and that company. The covered entities who permissibly disclose PHI in this scenario may do so directly to the provider’s care planning company for the provider’s care planning purposes (without the need to execute their own BAA) just as they could share this information directly with the provider. Electronic PHI disclosed in this scenario, for example using Certified EHR Technology, must be disclosed consistent with the HIPAA Security Rule.
Example 3: Case Management by a Payer – 45 CFR 164.506(c)(1) and (c)(4)
A health plan hires a health care management company to provide semi-monthly nutritional advice and coaching to their diabetic and pre-diabetic members. The care management company is a BA of the health plan. In order to provide appropriate nutritional advice and coaching, the health care management company needs additional information about these individuals to ensure the advice is consistent with the treatment they receive from their providers.
The health care management company may query the relevant providers to obtain information that could impact the nutritional advice. Providers may respond to the query using Certified EHR Technology and may disclose PHI necessary for the case management purpose for which the nutritional coach was hired by the health plan. Disclosure of electronic PHI by Certified EHR Technology or other method requires HIPAA Security Rule compliance.
In this scenario, the disclosures by the providers to the nutritional coach are for the Health Care Operations (“population-based activities relating to improving health or reducing costs” and “case management”) of the health plan, and therefore are Permissible Disclosures under HIPAA. Likewise, a BAA is only required between the health plan covered entity and the health care management company it hired. The providers may make permissible disclosures of PHI to that company without a BAA between the discloser and that company.
Once again, the providers sharing PHI with the health care management company hired by the health plan are not responsible under HIPAA for what that company or the health plan subsequently does with the information once it has been sent for a permissible reason and in a secure manner.