Corporate Compliance

HIPAA Q&A: Managed care companies and PHI

Compliance Monitor, May 16, 2012

Q. I’m experiencing problems with managed care companies that request PHI for their Healthcare Effectiveness Data and Information Set (HEDIS) quality reviews.

When I request the individual’s signed enrollment agreement to ensure that disclosure is appropriate, some managed care companies tell me this is covered in our Notice of Privacy Practices (NPP). This doesn’t seem correct to me. Our NPP explains how we use patients’ PHI, not how the managed care company uses it.

Is releasing this information to managed care companies without patient authorization permissible?

A. You are correct. Your NPP explains how your organization uses PHI, not how payers may use it.

However, you may disclose PHI to other CEs (e.g., managed care companies) for their healthcare operations, which includes HEDIS quality reporting. Patient authorization is not necessary for such disclosures, as long as both CEs have a relationship with the patient.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, Texas.

Most Popular