In FAQ guidance (June 26, 2019), HHS has concluded that the HIPAA Privacy Rule allows one health plan (as a HIPAA covered entity (CE)) to share protected health information (PHI) about individuals who are in common with a second health plan for coordination of care purposes (see Practice Note, HIPAA Privacy Rule and HIPAA Privacy, Security, and Breach Notification Toolkit).

As background, the Privacy Rule permits a CE to disclose PHI to another CE for either:

If the disclosure of PHI is for the recipient CE's health care operations, the Privacy Rule requires that:

Case management and care coordination are activities specified under the definition of health care operations. For example, if an individual was enrolled in the ABC Health Plan and switches to the DEF Health Plan (that is, a different CE), the ABC Health Plan can disclose PHI to the DEF Health Plan so that the latter plan can coordinate the individual's care, without the individual's authorization.

A CE that possesses or receives an individual's PHI can use or disclose the PHI as permitted under the HIPAA Privacy Rule (see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information and Standard Document, HIPAA Authorization to Use and Disclose PHI). However, CEs cannot use or disclose PHI for marketing purposes without an individual's authorization – unless the communications are subject to an exception (for example, in the case of promotional gifts) (see Practice Note, HIPAA Privacy Rule: Marketing, Sales, and Research). Some communications to individuals concerning products and services are expressly excluded from the definition of "marketing" under the Privacy Rule. For example, an exclusion exists for communications to individuals about replacements to (or enhancements of) existing health plans, if the CE does not receive financial remuneration for the communications. If these conditions are satisfied, a CE may use PHI in its possession about individuals to inform the individuals of the availability of other health plans that the CE offers without the individuals' authorization.

The FAQ guidance includes an example illustrating permitted sharing of PHI. The example involves a situation in which Plan A discloses PHI about an individual to Plan B (a separate CE). In this situation, Plan B does not need the individual's authorization to send communications to the individual about Plan B's health plan options that may replace the individual's current plan (for example, Medicare plans, in the case of individuals who are Medicare-eligible). However, this assumes that Plan B:

In recent months, HHS has expressed greater interest in how the HIPAA Privacy Rule intersects with coordination of care issues. In December 2018, for example, HHS issued a requeat for information (RFI) concerning possible changes to the HIPAA Privacy Rule (83 Fed. Reg. 64302 (Dec. 14, 2018); see Practice Note, HIPAA Privacy Rule: Request for Information Involving Possible Changes to Privacy Rule (December 2018)). The RFI sought input on whether changes to HIPAA's right of access and other aspects of the Privacy Rule could promote health care coordination and case management by making the transfer of PHI among CEs more efficient.