Corporate Compliance

Q&A: Releasing patient records to insurance companies

Compliance Monitor, November 24, 2010

Q: An insurance company is requesting copies of medical records to review our CPT ® coding. These cases are at least one year old and have been paid already. The insurance company said its review will not affect our payment. Do we need patient authorization to release these records, since this does not involve treatment, payment, or office operations?

A: Covered entities (CE) are permitted to use or disclose PHI without patient authorization for treatment, payment, and healthcare operations. Most CEs think about their own healthcare operations, but the Privacy Rule permits CEs to release PHI to another CE—if the second CE needs the information for its healthcare operations—as long as both CEs have a relationship with the patient.

In this case, you may release patient records to the insurance company if it is auditing the accuracy of its claims payment process. This request is probably legitimate; you’ll simply need to get more information from the insurance company to ensure that this is part of its healthcare operations.

Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question in the December 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular