December 1, 2022
Disclosure of Protected Health Information
According to 45 CFR §164.506 disclosures to carry out treatment, payment and health care operations are permitted without an authorization. Covered entities can disclose personal health information to ensure access to treatment, proper reimbursement, and quality improvement activities.
Covered entities include:
- Healthcare providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.
- Health insurance companies, HMOs, company health plans
- Government programs which pay for health care such as Medicare, Medicaid, military, veteran's health
- Health care clearinghouse such as billing services and health management information systems
Access to treatment and efficient payment require the use of protected health information which is essential to healthcare operations. These operations may include:
- Administrative
- Financial
- Legal
- Quality Improvement Activities
These operations are necessary for a covered entity to run its business. They are essential to support treatment and payment for services rendered.
Applying the Rule
The Privacy Rule permits health care covered entities to use and disclose personal health information (PHI) without authorization for:
- Treatment: the provision, coordination, or management of healthcare and related services by one or more health care providers
- Payment: activities of healthcare providers to obtain payment or be reimbursed for their services
Common payment activities include:
- Determining eligibility or coverage under a plan
- Risk adjustments
- Billing and collection activities
- Reviewing health care services for medical necessity, coverage, justification of charges, etc.
- Utilization review activities
Responding to Additional Document Requests (ADR)
According to the SSA section 1833 (e) contractors are authorized to gather medical documentation to determine proper payment for services. Per Medicare Program Integrity Manual Chapter 3 §3.2.3.4 the MACs, CERT, SMRCs, and RAC shall:
request records related to the claim(s) being reviewed and have the discretion to collect documentation related to the beneficiary's condition before and after a service.
The benefits of a covered entity complying to an ADR request include but are not limited to:
- Payment for services rendered
- Preventing delays in providing health care services
- Facilitating quality improvement practices
- Guidance and education related to services provided to ensure proper reimbursement
- Preventing recoupment of funds
- Decrease time spent going through the appeals process
If a covered entity chooses not to comply with an ADR request from a MAC or another government program which handles Medicare and Medicaid, it may result in one or more of the following:
- Recoupment of all or partial amount of funds
- A denial of all claims submitted
- A lengthy appeals process
- Delays in reimbursement for services rendered
- Delays in providing health care services to beneficiaries
- Beneficiary dissatisfaction
- Poor quality improvement results
- Investigations into billing practices
As a covered entity, CGS Administrators must comply with HIPAA rules. PHI disclosed to CGS Administrators for medical review is protected from misuse and kept confidential.
Resources
- 45 CFR §164.506 Uses and disclosures to carry out treatment, payment or healthcare operations
- 45 CFR §164.508 Uses and disclosures for which an authorization is required
- CMS Medical Review and Education
- CMS Targeted Probe and Educate
- HHS.gov: Health Information Privacy: Covered Entities and Business Associates
- HHS.gov: Summary of HIPAA Privacy Rule
- Medicare Program Integrity Manual Chapter 3 Verifying potential errors and taking corrective actions
- MLN Booklet HIPAA Basics for Providers: Privacy, Security, & Breach Notification Rules
- Social Security Act section 1833 (e) Payment of Benefits