Guidance for Sharing Protected Health Information for Outreach by Health Homes
- Document is also available in Portable Document Format (PDF)
Frequently Asked Questions
October 2015
When is the sharing of PHI for outreach purposes, without patient consent, permissible?
The sharing of PHI in all cases must be restricted to the minimum amount of information necessary to accomplish the purpose. Additionally, the two parties sharing PHI must attain legal assurance to ensure confidentiality of the information and prevention of re-disclosure to other parties. This may come in the form of Business Associate Agreements, Confidentiality and Non-disclosure Agreements, Qualified Service Organization Agreements, or Data Exchange Application Agreements. Additionally, in the case of information relating to alcoholism or substance use disorder treatment through OASAS-certified programs, individual consent is always required for any information that may identify an individual as participating in these programs.
What information may be shared between MCOs and lead Health Home Agencies?
MCOs need to share relevant information with Health Homes to improve outreach and enrollment. This information includes: contact information and prior Medicaid service use data, including previous providers, excluding SUD services and OASAS providers. MCOs have established Business Associate Agreements and/or other formal assurances to allow this exchange of PHI.
What information may be shared between lead Health Home Agencies and downstream Care Management Agencies?
Health Homes contract with Care Management Agencies (CMAs) to extend outreach and provide care management once patients are enrolled in the health home. The HH-CMA contracts typically include Business Associate Agreements and/or other formal assurances to allow exchange of PHI. If the HH has previously received PHI in the form of contact information and prior Medicaid service usage, the CMA can then receive this information to conduct outreach. The CMA can only receive the same information as the HH from the MCO, excluding include any information protected under 42 CFR Part 2.
What information may be shared between CMAs and providers?
CMAs and providers may wish to share PHI to support efforts to engage the potential enrollee. CMAs may request that the provider explain the Health Home service to the potential enrollee and either ask the enrollee to contact the CMA staff or help arrange a meeting between the individual and the CMA staff. If a CMA is aware that a Health Home eligible individual is receiving services from a particular provider, the CMA can contact that provider to inform them that the individual is eligible for Health Home services and ask the provider to help connect the individual with the CMA. Providers can receive this information without divulging further PHI related to the individual. However, an OASAS-certified provider would not be able to be contacted, nor reach out to the patient about the Health Home service unless that patient gave consent for the CMA to contact the SUD provider in the first place. Information may be shared if an active consent still exists between the Provider and CMA.
What information may be shared between MCOs and CMAs?
When PHI can be communicated and shared directly between MCOs and CMAs, the outreach process is improved because it eliminates delays in communication due to the passing of information between multiple parties. As a result, contact information, previous use, and alerts for admission to a hospital can allow direct interaction for outreach purposes. This sharing of PHI would require a written scope of work describing the nature of information to be shared and an established Business Associate Agreements and/or other formal assurances to allow exchange of PHI. NYS DOH encourages MCOs and CMAs, in collaboration with their lead Health Home agencies, to consider such arrangements. Amending the contract between Health Homes and CMAs to reflect this data-sharing relationship is optional. If a contracted behavioral health manager is delegated with the responsibility for performing outreach, and will be communicating directly with CMAs to share information, then that entity should have a BAA with the CMA for purposes of outreach.
Guidance for Sharing Protected Health Information after Consent and Enrollment into a Health Home
What information can be shared among the various entities after the Health Home enrollment and consenting process has been completed?
After a member has been consented and enrolled into a Health Home, PHI may be shared with the various entities that are included on the consent form. For example, in order for a Health Home to share additional PHI with a Managed Care Plan and Care Management Agency, the HH would want to include the Managed Care Plan, any contracted behavioral health management entity and the Care Management Agency on its consent for release of information. The Managed Care Plan and/or Care Management Agency may, in addition, require its own release of information for bidirectional sharing of PHI.