• E-mail
• Print
• RSS
• Reprints

Protect patient information when communicating with payers

Case Management Monthly, September 1, 2010

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Case Management Monthly.

Case managers who perform utilization management (UM) typically communicate with payers, sending patient information to establish medical necessity. Based on the payer mix at a certain facility and patient volume, case managers disclose protected health information (PHI) every day. 

A fundamental tenet of the HIPAA Privacy Rule requires hospitals and other covered entities that work with PHI to disclose only the minimum necessary information to accomplish a purpose, such as payment. 

Minimum necessary generally must be applied by all covered entities. This includes healthcare providers (e.g., physicians and hospitals), healthcare payers, and healthcare clearinghouses, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, “The Privacy Professor”^®, in Des Moines, IA.

“Although [minimum necessary] in almost all cases does not apply to treatment activities, providers must follow minimum necessary for operations and payment activities. Payers must understand and support this compliance obligation when working with the providers,” says Herold.

However, insurance companies are requesting increasingly more patient information—sometimes the entire patient record, according to Chris Simons, RHIA, director of UM, health information management, and privacy officer at Spring Harbor Hospital in Westbrook, ME. Simons considers this amount of information excessive, but there is not much she can do about it.

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Case Management Monthly.

• E-mail to a Colleague
• Print
• RSS
• Archive
• Reprints / Permissions