HIPAA Privacy: What Information Can You Release?

The implementation of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule has sparked concern and confusion in many sectors of the health care industry, and exchanges between health plans and providers are no exception.

Some providers and their staff have declined to provide Humana with requested information on its members, such as discharge dates, admission dates and treatment or diagnosis-related information. Concerns about inappropriate release of members’ Protected Health Information (PHI) are understandable. But in many cases, physicians and other health care providers who decline to provide information have misconceptions or misinformation about the HIPAA Privacy Rule.

The privacy rule, specifically Section 164.506 (c) (4) (see link at bottom of this article), permits covered entities, such as health plans and physicians, to exchange patient information for purposes of operational activities and payment. In addition, a written authorization from the patient/member is not required when information is exchanged for allowable purposes.

Besides requesting information for claim processing and payment purposes, Humana may also request member information and medical-chart data for a broad range of other HIPAA-permitted purposes, including:

• Quality reporting and peer review activities. Throughout the year, Humana may collect member data for HEDIS® (Health Plan Employer Data and Information Set) reporting, clinical studies, peer review and Ambulatory Medical Record Reviews, as well as for other reviews performed by Humana’s Quality Management Department and Utilization Management Department.
• Regulatory and accrediting requirements. In addition, information may be requested so that Humana can meet its reporting requirements for regulatory agencies and accrediting organizations, such as the National Committee for Quality Assurance (NCQA), the Utilization Review Accreditation Commission (URAC), the Center for Medicare and Medicaid Services (CMS) and/or the Agency for Health Care Administration (AHCA).

During the past year, Humana developed and implemented policies and procedures that are in full compliance with both the letter and the spirit of the HIPAA privacy rule. Any requests Humana makes for member information meet the minimum-necessary requirements and are solely for HIPAA-approved purposes, noted Tracey Groza, Humana’s director of privacy office operations.

“We appreciate providers’ support of the HIPAA privacy regulations, and we have taken the steps necessary to facilitate that patients’ information will be handled appropriately,” said Groza. “However, we are also concerned that delays in receiving the requested information could translate into delays in service to members or make it more difficult for us to meet our reporting requirements.”

Practices that have questions regarding permissible disclosures of member/patient information are encouraged to review some of the excellent online resources that provide clarification on frequently cited concerns. Following are a few:

HIPAA Privacy Rule — Office for Civil Rights. The full text of the rule
is available at: www.hhs.gov/ocr/combinedregtext.pdf.

Department of Health and Human Services — Office for Civil Rights FAQs: www.hhs.gov/ocr/hipaa/index.html (Also see responses to site visitors’ HIPAA questions, at http://answers.hhs.gov/).

Health Privacy Project, affiliated with Georgetown University — www.healthprivacy.org. This site provides HIPAA privacy information for both health care providers and consumers/patients.

Back to top