Under the CalHHS Health and Human Services Data Exchange Framework (DxF), participating entities are required to exchange health and social services information with other participants. Some participants may be covered entities under the Health Insurance Portability and Accountability Act (HIPAA), such as general acute care hospitals, physician organizations, skilled nursing facilities and health plans, whereas others may not be, such as community based organizations (CBOs) and social services organizations (SSOs) providing social and health-related services.

While HIPAA permits disclosures of protected health information (PHI) to CBOs and SSOs without an individual’s authorization for certain care coordination and case management activities, many covered entities are hesitant to do so without valid authorization. This fact sheet provides an overview of appropriate circumstances in which HIPAA permits covered entities to share PHI with entities not covered under HIPAA, such as CBOs and SSOs, to accelerate and expand data exchange through the DxF.

Summary

Sharing PHI for Care Coordination and Case Management Purposes

• HIPAA allows sharing PHI with CBOs and SSOs for certain care coordination and case management activities without individual authorization.

Sharing of PHI for such purposes with third parties does not require written authorization under the HIPAA Privacy Rule

• Health care providers can share PHI for treatment purposes without individual authorization, including coordination with third parties like social service entities, as confirmed by OCR guidance, if deemed necessary for the individual’s health or mental health care.

Other Considerations for Covered Entities with Data Sharing for Care Coordination and Case Management

• HIPAA holds covered entities accountable for disclosing PHI to CBOs or SSOs in compliance with HIPAA regulations, but not for the actions of these organizations with respect to PHI post-disclosure.

Sharing PHI for Care Coordination and Case Management Purposes

The HIPAA Privacy Rule expressly permits certain uses and disclosures of PHI by covered entities and their business associates, without an individual’s valid authorization, for treatment and certain health care operations, among other important purposes. The definitions of both treatment and health care operations include some care coordination and case management activities aimed at promoting cooperation among members of an individual’s health care delivery team, including family members, caregivers, and SSOs/CBOs.

• For example, the HIPAA Privacy Rule definition defines treatment to include ‘‘the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party”. 45 CFR § 164.501.
• The definition of health care operations includes, among other activities, ‘‘population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination . . . and related functions that do not include treatment.” Id.

Sharing of PHI for such purposes with third parties does not require written authorization under the HIPAA Privacy Rule.¹ In fact, the Office for Civil Rights (OCR) released this FAQ guidance in 2018 that specifically acknowledges the data to be shared for care coordination or management activities by a health care provider:

A health care provider may disclose a patient’s PHI for treatment purposes without having to obtain the authorization of the individual. Treatment includes the coordination or management of health care by a health care provider with a third party. Health care means care, services, or supplies related to the health of an individual. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, the individual’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a service agency that arranges such services for individuals.

There are a number of scenarios under which covered entities may then appropriately share PHI for care coordination and case management purposes with CBOs and SSOs, such as:

• A covered health care provider may disclose PHI to a senior center or adult day care provider to help coordinate necessary health-related services for an individual, such as arranging for a home aide, to help the older adult or disabled person with their prescribed at-home or post-discharge treatment protocol.
• Likewise, a disclosure could also facilitate care coordination and case management as part of a covered health plan’s health care operations, such as when a health plan discloses the PHI of a senior citizen to a senior center as part of the plan’s wellness program in which the senior citizen is enrolled.

Importantly, disclosures like those contemplated above to third parties that are not covered health care providers must still comply with HIPAA’s minimum necessary standard.

Alternatively, while not required by HIPAA with respect to disclosures for care coordination and case management purposes as detailed above, covered entities may share PHI with CBOs and SSOs if they obtain a valid authorization (see 45 CFR § 164.508 for authorization requirements) for the release of information from the individual or the individual’s representative. For example, an authorization could indicate that PHI will be disclosed to “social services providers” for purposes of “supportive housing, public benefits, counseling, and job readiness.”

Other Considerations for Covered Entities with Data Sharing for Care Coordination and Case Management

A common question that arises with respect to sharing PHI with CBOs and SSOs is whether the covered entity will be held responsible under HIPAA for what the receiving third party does with the PHI once it has been shared in a permissible manner under HIPAA.

Under HIPAA, the covered entity is responsible only for complying with HIPAA in disclosing the PHI to the CBO or SSO in a permitted and secure manner. This includes ensuring that the disclosure is permitted for a treatment or health operations related purpose (i.e. to help further the patient’s health care, as well as sending the PHI securely and taking reasonable steps to send it to the right address. The covered entity is NOT responsible under HIPAA for what that CBO or SSO subsequently does with the information once it has been sent for a permissible reason and in a secure manner.

As a reminder: The DxF Privacy Standards and Security Safeguards Policy and Procedure requires DxF participants that are not a covered entity or business associate under HIPAA to comply with HIPAA’s minimum necessary standard and to develop, implement, and uphold appropriate administrative, physical, and technical safeguards and controls consistent with the HIPAA Security Rule in terms of any health and social services information they receive from other DxF participants.

Helpful Resources

• HHS Office for Civil Rights, Frequently Asked Questions on Mental Health, Disclosures for Care Coordination, https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa- permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health- care-provider-continuity-care-purposes/index.html
• HHS Health IT, The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples, https://www.healthit.gov/buzz-blog/privacy-and-security-of- ehrs/real-hipaa-care-coordination-care-planning-case-management-examples/
• HHS Office for Civil RIghts, Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care
• Privacy Explained for CBOs Webinar: Navigating HIPAA, Privacy Laws, and Technology for Care Collaboration, https://www.youtube.com/watch?v=ys0m6EnZdGg
• Data Exchange Framework – CDII (ca.gov)

¹ Guidance from OCR with respect to sharing of PHI for health care operations purposes related to care coordination and case management (such as disclosures by health plans) is more limited than with respect to treatment, but discussion and commentary in the agency’s Notice of Proposed Rulemaking issued in 2021 specifically states that the agency, “believes that such disclosures generally are permitted under the existing Privacy Rule for … certain health care operations”. However, to “provide greater regulatory clarity, and help ensure that covered entities are able to disclose PHI to coordinate care for individuals with social services agencies, community based organizations, and HCBS providers or other similar third parties that are providing health-related services to those individuals,” the NPRM proposed the addition of express regulatory language with respect to such health care operations disclosures.

Disclaimer: Connecting for Better Health has developed this resource to help DxF participants navigate data sharing, but this fact sheet does not and should not be construed as providing legal advice; please consult any attorney for specific legal questions. Please note that this fact sheet only addresses the sharing of PHI under HIPAA, not the sharing of sensitive health information, such as substance use disorder records or reproductive health information, which may be afforded greater privacy protections under applicable law.