Health Information Management

Q&A: Releasing records to an insurance company

HIM-HIPAA Insider, December 7, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. An insurance company is requesting copies of medical records to review our CPT® coding. These cases are at least one year old and have been paid already. The insurance company said its review will not affect our payment. Do we need patient authorization to release these records, since this does not involve treatment, payment, or office operations?

A. Covered entities (CE) are permitted to use or disclose PHI without patient authorization for treatment, payment, and healthcare operations. Most CEs think about their own healthcare operations, but the Privacy Rule permits CEs to release PHI to another CE—if the second CE needs the information for its healthcare operations—as long as both CEs have a relationship with the patient.
 
In this case, you may release patient records to the insurance company if it is auditing the accuracy of its claims payment process. This request is probably legitimate; you’ll simply need to get more information from the insurance company to ensure that this is part of its healthcare operations.
 
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX answered this question, which originally appeared in the December issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular