Patient’s Guide to HIPAA – Uses and Disclosures: Is My Consent Needed to Disclose Records for Treatment or Payment?
You are reading the Patient’s Guide to HIPAA, FAQ 55 .
HIPAA Guide Quick Links:
FAQ 55: Is My Consent Needed to Disclose Records for Treatment or Payment?
No. Medical records can be used and disclosed without your approval for treatment, payment, and health care operations. Treatment is the providing, management, or coordination of health care by a health care provider. The formal definition is slightly more complicated, but the basic concept is relatively simple.
The definition of payment is more complex. It includes activities by a health plan to determine coverage and provision of benefits and activities by a provider to obtain reimbursement. Payment also includes determining eligibility or coverage, including benefit coordination, cost sharing, adjudication and subrogation (making a third party pay) of benefits. It includes risk adjustment based on enrollee status and characteristics. Patient data may also be used for billing, claims management, collection activities for bad debts, and reinsurance activities.
We are not done with payment. It also includes review for medical necessity and appropriateness of care as well as utilization review, such as pre-certification and preauthorization services. Disclosure to credit bureaus of information relating to collection of premiums or reimbursement is another payment disclosure.
All of those activities, and perhaps a bit more, fall under payment. The breadth of payment activities reflects the complexity of the health care system, the multiple inter-relationships between providers and payors, and the range of insurance activities.
The definition of payment is just a warm up for understanding disclosures for health care operations, another category of disclosure that does not require patient consent. The formal definition goes on for about 400 words. It includes quality assessment, quality improvement, development of clinical guidelines, management and care coordination, review of provider competence, student training, underwriting, premium rating, medical review, legal services, auditing, fraud detection, business planning, business management, customer service, transfer or sale of a business, and fundraising.
We didn’t include every type of health care operation here, but you should already get the idea. Further, many of the functions mentioned here are complex tasks that encompass other layers of activities and involve the sharing of medical records with people far removed from any activity that the average person would readily identify as part of routine health care management.
One new limit on use and disclosure of genetic information is the result of the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA made it illegal to use genetic information for most underwriting purposes. That’s good, but it’s not much in the way of health information disclosure restrictions. GINA also generally prohibits use of genetic information in health insurance and employment. Those are good restrictions too, mostly in furtherance of preventing discrimination against individuals with genetic predispositions. There’s much to debate about GINA, but not here. From a narrow privacy perspective, GINA only helps a little.
Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 55 of 65)