The HIPAA Privacy Rule permits a covered entity to disclose PHI to another covered entity for its own health care operations purposes, or for the health care operations of the entity receiving the information. If the disclosure of PHI is for the health care operations of the recipient covered entity, the Privacy Rule requires that (i) each entity either has or had a relationship with the individual who is the subject of the PHI being requested, (ii) the PHI pertains to that relationship, and (iii) the disclosure is for a health care operation listed in paragraphs (1) or (2) of the definition of health care operations or for health care fraud and abuse detection or compliance. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4). Case management and care coordination are among the activities listed in paragraph (1) of the definition of health care operations. 45 CFR 164.501. For example, if Covered Entity A provides health insurance to an individual who receives access to the provider network of another plan provided by Covered Entity B, Covered Entity A is permitted to disclose an individual’s PHI to Covered Entity B for care coordination, without the individual’s authorization. 45 CFR 164.506(c)(1). Similarly, if an individual had been enrolled in a health plan of Covered Entity A and switches to a health plan provided by Covered Entity B, Covered Entity A can disclose PHI to Covered Entity B for Covered Entity B to coordinate the individual’s care, without the individual’s authorization.

Although such disclosures are permitted, they are subject to the minimum necessary standard. 45 CFR 164.502(b).

Does the HIPAA Privacy Rule permit a covered entity to use and disclose PHI to inform individuals about other available health plans that it offers, without the individuals’ authorization, if the covered entity received the PHI for a different purpose?

Yes, in certain circumstances. If a covered entity possesses or receives PHI about an individual, it can use or disclose such PHI where, and in the manner, permitted by the Privacy Rule. 45 CFR 164.502(a) and (b). Covered entities are prohibited from using or disclosing PHI for marketing purposes without the individual’s authorization, unless the communications are subject to an exception. 45 CFR 164.508(a)(3)(i) (exception to marketing authorization for face-to-face communications by a covered entity to an individual and for promotional gifts of nominal value). In addition, certain communications to individuals about products or services are specifically excluded from the definition of “marketing.” 45 CFR 164.501 (definition of marketing, para (2)). One such exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans, so long as the covered entity is not receiving financial remuneration for the communications. 45 CFR 164.501 (definition of marketing, para (2)(ii)(B)); see also 45 CFR 164.506(c)(1) and 45 CFR 164.501 (definition of “health care operations,” para (3)). Thus, if these conditions are met, HIPAA permits a covered entity to use PHI in its possession about individuals to inform such individuals about the availability of other health plans it offers without the individuals’ authorization. See 45 CFR 164.502(a)(1). For example, in a situation where Plan A discloses PHI about an individual to Plan B (a separate covered entity), Plan B is permitted to send communications to the individual about Plan B’s health plan options that may replace the individual’s current plan (e.g, Medicare plans for individuals reaching the age of Medicare eligibility), without the individual’s authorization, so long as Plan B (1) receives no remuneration for sending the communication to the individual, and (2) complies with any business associate agreement(s), where applicable.