• E-mail
• Print
• RSS

Gathering information about the competition

Compliance Monitor, April 7, 2006

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Q: Our health system would like to obtain information about patients who receive services from competing, non-health system providers, laboratories, and emergency departments.

We were thinking of asking one of our payers to provide this information. This payer pays for the services provided to the health plan members by the area facilities and providers. The payer also has all of this information about where its members receive services. The health system has agreed to use this information only for care management.

Is the above scenario permitted under the HIPAA Privacy regulations? Is this potentially an anti-trust issue because the health system would be gathering information about competitors? If so, should a written agreement be put into place that outlines the purposes of the exchange of information?

A:I feel quite strongly that, regardless of the covering entity's healthcare insurance relationship with its members, unless providers or patients have signed specific releases for information to be used for disease management purposes and/or this type of activity is covered in the entity's Notice of Privacy Practices (NPP), which is agreed to in writing by the patient, then this kind of activity falls squarely back to the HIPAA privacy basics: protected health information (PHI) cannot be disclosed unless the patient has signed a release with the purpose for the disclosure/use of the PHI clearly stated.

The standard releases generally cover the entity's need to share PHI with other providers as well as carry out business operations. Additional uses are clearly prohibited and might actually be prohibited by upper strata of privacy regulations mandated by the state (which takes precedence over federal guidelines in these matters). If not covered by specific NPI release and/or agreed to within the entity's NPP, then the entity's request for these clinical records/data is a violation of the intent of the HIPAA privacy regulations.

Thanks to Michael G. Calahan, VP of Client Services for the Burgess Group in Alexandria, VA, for answering today's question.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive