Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information (PHI) both for its own payment purposes, as well as for the payment purposes of another covered entity that receives the information. See 45 CFR 164.506(c)(3). The Privacy Rule defines “payment” to include activities to determine eligibility or coverage of enrollees. See the definition of “payment” at 45 CFR 164.501, paragraph (2)(i). Thus, a Medicaid State agency and a Medicare Advantage plan may disclose to each other PHI about their enrollees to identify those enrollees that are dually eligible under both plans. Such disclosures must comport with the Privacy Rule’s minimum necessary standard, where applicable. See 45 CFR 164.502(b), 164.514(d). In general, an electronic inquiry and response from one health plan to another to obtain information regarding the eligibility of an enrollee to receive health care must be done using the HIPAA standard transaction for eligibility (X12N 270/271 transaction). Where the disclosures between the State Medicaid agency and the Medicare Advantage plan are conducted using the standard, the Privacy Rule’s minimum necessary requirements do not apply to the disclosures of the data elements required or situationally required by the standard transaction. In contrast, where the disclosures are made outside of a standard transaction, both the Medicare Advantage plan in its request for PHI, as well as the State Medicaid agency in its response, must make reasonable efforts to limit the PHI requested and disclosed to the minimum necessary PHI for the purpose of identifying dually eligible enrollees. Because the Medicare Advantage plan must limit its request to the minimum necessary PHI to identify dually eligible enrollees, the State Medicaid agency may rely, if reasonable, on that request for PHI as satisfying the minimum necessary requirement for these purposes. See 45 CFR 164.514(d)(3)(iii).
