Guidance to Managed Care Organizations, Health Homes, Care Management Agencies, and Providers

Sharing Protected Health Information for Outreach to support Enrollment of Individuals in Health Homes

  • Guidance is also available in Portable Document Format (PDF)

October 2015


New York State is implementing a number of transformational Medicaid reform initiatives that emphasize person–centered, recovery–oriented services and comprehensive care management for high–need, high–risk individuals. Among these initiatives is the development of Health and Recovery Plans (HARPs), comprehensive managed care organizations which, beginning in the fall of 2015, will deliver a fully–integrated (medical–behavioral health) benefit to individuals with significant behavioral health needs, many of whom are at high risk of disengagement from care. Integral to the development of HARPs will be the role of the Health Home (HH), which will perform both an outreach function in contacting HARP–eligible individuals and informing them of the benefits offered by the HARPs, and the care management function for individuals enrolled in the HARPs. All HARP enrollees will be eligible for Health Home (HH) services, and it is critical that managed care plans, HH care managers, and providers work collaboratively to identify, contact, and enroll these individuals.

The exchange of information is critical to the ability of the Health Homes, Mainstream Managed Care plans, the HARPs, and the various providers of behavioral and physical health care to integrate and coordinate services, and to treat the whole individual in an effective and efficient manner. Individuals with serious behavioral health conditions are also likely to have co–occurring physical health conditions. Treating the whole individual recognizes the fact that behavioral health issues can cause or exacerbate physical ailments, while medical illnesses and conditions can negatively impact individuals´ behavioral health status. Treating only one realm or treating both in an uncoordinated fashion inevitably results in less than optimal results.

Individuals´ personal health information, however, is extremely sensitive. This is particularly true of behavioral health information, due to the stigmatizing nature of information relating to an individual´s mental health or substance use conditions. For that reason, there is a large body of law at both the State and Federal level protecting the confidentiality of individuals´ health information. These laws establish the fundamental principle that personal health information is confidential, and may not be shared absent an individual´s consent, unless certain limited exceptions apply. In such circumstances disclosure may be permitted, but to the minimum extent necessary to accomplish the purpose for the exception. These laws were written with the intent of balancing the interests of confidentiality with the need to communicate information necessary to provide health and behavioral health services to those individuals. Generally stated, it is almost always best, and almost always the least complicated legally, to share information with the consent of the subject.

In some situations, however, obtaining such consent is not possible or practical. In such extremely limited circumstances, the various legal authorities protecting the confidentiality of personal health information do allow for the exchange of clinical information, but only for specific purposes, and only to the minimum extent necessary to accomplish those purposes. They also include requirements for protections to prevent the recipient of such information from re–disclosing information unless it is for a similarly legitimate purpose, and includes similar protections governing the recipient of the re–disclosed information. These procedures and protections represent an attempt to provide the individual with the ability to decide what information, and to whom, their sensitive personal health information will be disclosed.

Relevant Federal and State Authorities

The relevant laws that come into play in the relationship between the State, the Managed Care Organizations (MCOs, including the HARPs), the Health Homes, the Care Management Agencies, the service providers and the recipients are as follows:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)(PL 104–191). This law was primarily intended to protect health insurance coverage for individuals who lost their jobs by making such insurance more portable. In recognition of the administrative burden the portability requirements would place on health care providers, the law also included provisions to facilitate the electronic exchange of health information. But in so providing, Congress also recognized that by facilitating the exchange of information, the law could also result in a loss of confidentiality of this information. Accordingly, Congress directed the federal Department of Health and Human Services (HHS) to promulgate regulations protecting the confidentiality of such information. These regulations generally prohibit a covered entity from disclosing protected health information (PHI) except as otherwise required or permitted by the regulations.
  • Federal Medicaid Law and Regulations (42 USC §1396a (a)(7); 42 CFR §§431.300–431.307). These authorities restrict the use or disclosure of information concerning applicants or recipients to purposes directly related to the administration of the Medicaid program.
  • Federal Medicaid Alcohol and Substance Use Confidentiality Restrictions (42 CFR Part 2). This law restricts the disclosure of any information which would identify an individual, either directly or indirectly, as receiving, having received or having been referred for substance abuse or alcoholism treatment (42 CFR §2.13(c)(1).
  • State Mental Health Confidentiality Law (MHL §33.13). Under the Mental Hygiene Law clinical information maintained by a provider of mental health services may only be disclosed without the subject´s consent pursuant to the provisions of §33.13.
  • State Public Health Confidentiality Law (PHL §18 (6)). This law requires written authorization from the individual before a health care provider may disclose information to a third party, unless it is pursuant to a court order, for law enforcement purposes, fraud and abuse investigations, or otherwise authorized by law.

Sharing Protected Health Information (PHI): General Guidance

In determining whether sharing of PHI is permissible, it is therefore necessary to:

  • Describe the purpose for which information is proposed to be shared. If the information is being shared by a "covered entity" under HIPAA, the purpose for the sharing of the information must be permissible under HIPAA. If the information is Medicaid data, then the purpose must relate to the administration of the Medicaid program. If the information is being shared by an entity covered by the Mental Hygiene Law, then it must be for a purpose permitted under §33.13. If the information relates to the prevention or treatment of an alcohol or substance use disorder, then the disclosure must be consistent with 42 CFR Part 2. If the information is being shared by an entity licensed by DOH, then it must be permissible under PHL §18 (6).
  • Determine the minimum amount of information necessary to accomplish the legitimate purpose for which it is being shared. The "minimum necessary" standard is common to all of the above authorities.

When PHI is shared consistent with the above legal authorities, it does not lose its confidential status. The recipient of the information is bound by these same requirements, and may only re–disclose the information consistent with the same legal authorities. In order to ensure that the recipient of the PHI understands the confidential nature of the information, and agrees to avoid wrongful re–disclosure, it is therefore necessary that there be adequate legal assurance, in the form of such agreements as a Business Associates Agreement (BAA), a Confidentiality and Non–Disclosure Agreement (C&NDA), or a Data Exchange Application Agreement (DEAA), whereby the recipient agrees to abide by these confidentiality provisions, and, in the event it does re–disclose any such information, that it will enter into a similar agreement with the sub–recipient of the information.

Sharing PHI of MCO members who have not provided consent

Questions have been raised about the exchange of information in the following scenarios:

  1. MCO sharing information with lead HH agencies:

    Purpose: Outreach. Individuals with serious behavioral health issues are eligible for Health Homes and possibly for HARPs, entities designed to assist them in accessing comprehensive physical and behavioral health services and rehabilitative services. Such individuals, by reason of their underlying behavioral health condition, are often difficult to contact in order to offer them the opportunity to enroll in such services. MCOs are responsible for assigning individuals to specific HHs and often have information on recent service use that can guide HH outreach.

    What information can be shared? DOH provides lead Health Home agencies information relating to eligible individuals´ previous Medicaid services to assist outreach and enrollment efforts. MCOs may have additional information in their administrative records that can also assist Health Home outreach and enrollment. Information that can be shared with the lead Health Home agency includes:
    • Contact information including address and phone numbers
    • Prior Medicaid service use data including names and contact information for providers who previously treated the individual and who the MCO believes may be able to assist Health Home outreach. This may include primary care providers, mental health providers and hospital inpatient and/or emergency department providers. However, under 42 CFR Part 2, OASAS–certified providers may not acknowledge an individual´s participation in an alcoholism or substance abuse program, so access to this information is not allowable.

    Legal Architecture: DOH has BAA and/or DEAA with MCOs and HHs. These agreements permit DOH to share information with the MCOs and the HHs. In order for the MCO to share information with the HH, the MCO must have similar agreement(s) with the Health Home. For OASAS–certified information to be shared, a provider can enter into a Qualified Service Organization Agreement (QSOA) which allows them to share information with one separate entity. However, in order for the organization to re–disclose this information to a third party, patient consent is required.
  2. Lead HH agency sharing information with ´downstream´ Care Management Agency (CMA):
    Purpose: The Lead HH contracts Care Management Agencies to conduct its outreach activities, and to provide care management services to enrollees.

    What information can be shared? The CMA should require the same information for outreach that is required by the Health Homes. If the HH has received information from the MCO relating to contact information and/or prior Medicaid service use, then that information would also be necessary for the CMA to perform the same function. Again, PHI relating to identification of an individual participating in an OASAS–certified treatment program must not be disclosed in any form relating to previous Medicaid service use, unless patient consent is received.

    Legal Architecture: The HH may share the specified claims–based data with the CMA if the HH and the CMA have a Business Associates Agreement, unless the information is protected by federal confidentiality laws, as with alcoholism and substance abuse data. Such protected information cannot be released absent a proper individual consent.
  3. CMA sharing information with providers currently or previously serving HH eligible individuals:

    Purpose: The Lead HH contracts Care Management Agencies to conduct its outreach activities, and to provide care management services to enrollees. CMAs may contact providers who currently or previously (in the past 12 months) served individuals to ask for assistance with outreach, excluding OASAS–certified provider information which is protected from being shared under 42 CFR Part 2, and prevents acknowledgment by providers of an individual´s participation in a program.

    What information can be shared? CMAs and providers may wish to share contact information and/or prior service use information they have available as part of their joint effort to engage the potential enrollee. CMAs may request that the provider explain the Health Home service to the potential enrollee and either ask the enrollee to contact the CMA staff or help arrange a meeting between the individual and the CMA staff. An OASAS–certified provider would not be able to confirm an enrollees´ participation in an OASAS program unless that enrollee gives consent for the SUD provider to speak to the CMA. Business Associate Agreements are not required, however, providers are bound by the normal State and Federal regulations for the flow of information with the Care Management Agencies.
  4. CMA sharing information with MCO:

    Purpose: Outreach to potential Health Home enrollees is more likely to be successful when CMA care managers can communicate and share protected health information directly with MCOs.

    What information can be shared? CMAs and providers may wish to share contact information and/or prior service use information they have available as part of their joint effort to engage the potential enrollee. For example, when a hospital provider calls an MCO to request prior authorization for inpatient care for an individual in outreach status, the MCO could immediately notify the CMA care manager of the individual´s whereabouts and coordinate outreach at the hospital setting. Direct communication between the MCO and CMA would avoid critical delays associated with transferring such information to a lead Health Home agency and then to a downstream CMA. CMA care managers may also want to update MCOs on their outreach efforts, especially when unsuccessful, to consult about alternative outreach strategies and enable the MCO to keep an up–do–date record of attempted contacts to support future outreach efforts.

Legal Architecture: Currently CMAs receive their information pursuant to a BAA with the HH. The HH in turn receives that information from two sources. It receives information from DOH relating to the individuals´ last five services, pursuant to a BAA or DEAA with DOH. It receives additional information from the MCO, pursuant to a BAA with the MCO. In order for the CMA to share information with the MCO (or for the MCO to share information with the CMA), the parties would have to have an agreement such as an Administrative Services Agreement (ASA) to enable such an exchange. DOH will be providing an ASA to MCOs and HHs which will allow the MCOs and CMAs to enter into agreements to share information for the purpose of outreach. MCOs could execute a BAA with multiple CMAs authorizing data sharing for outreach purposes for the members of multiple Health Homes. The parties could be listed in the body of the BAA or as an attachment. Amending the contract between Health Homes and CMAs to reflect this data–sharing relationship is optional. If a contracted behavioral health manager is delegated with the responsibility for performing outreach, and will be communicating directly with CMAs to share information, then that entity should have a BAA with the CMA for purposes of outreach.

It is important to note that this exchange of information is for the limited purpose of performing outreach. The fact that the limited information necessary may be exchanged between the parties in order to facilitate this function in no way authorizes the exchange of additional PHI without the consent of the subject, or to the exchange of this information for any other purpose. For any such additional exchange of information to occur, the same inquiry would need to take place, and the same legal architecture would have to be present authorizing such exchange, including ensuring that no information that is protected by federal confidentiality regulations, specifically 42 CFR Part 2, is disclosed in the sharing of any PHI. Any providers that only provide OASAS certified–services or any identifying information about a patient´s involvement in SUD services cannot be disclosed without consent of the individual to exchange information between relevant entities.

Sharing Protected Health Information after Enrollment/Consent have been completed

After a member has been consented and enrolled into a Health Home, PHI may be shared with the various entities that are included on the consent form. For example, in order for a Health Home to share additional PHI with a Managed Care Plan and Care Management Agency, the HH would want to include the Managed Care Plan, any contracted behavioral health management entity and the Care Management Agency on its consent for release of information. The Managed Care Plan and/or Care Management Agency may, in addition, require its own release of information for bidirectional sharing of PHI.