HIPAA, and the business associate agreements between the Company and its covered entity and business associate clients, require the Company to adhere to certain rules when using and disclosing “protected health information” or “PHI” of its members. “Protected health information” is defined by HIPAA as information, in any form or medium (including oral, written and electronic communications), that is created, received or maintained by the Company on behalf of a member, relates to an individual’s physical or mental health (e.g., provision of payment for) and identifies, or could be reasonably expected to be used to identify, an individual. Protected Health Information includes everything from a member’s name, address and telephone number to the member’s clinical and billing records.
Once a member has been deceased for more than 50 years, such information about him or her is no longer considered to be PHI.
The Company will not use or disclose PHI for purposes other than those permitted in the applicable business associate agreement.
The minimum necessary rule generally requires that, when using, disclosing or requesting protected health information (“PHI”), the Company take reasonable steps to limit the PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. For example, if the Company discloses PHI for the purpose of receiving payment for services rendered, the amount of patient information disclosed should be limited to the minimum amount necessary to receive payment.
1. Permitted Uses: Except as listed below, the Company may not disclose PHI for any purpose unless it has obtained the member’s authorization and such disclosure is permitted pursuant to the terms of the applicable business associate agreement. The Company may disclose PHI for the following purposes, if permitted by the applicable business associate agreement, even if it is receiving direct or indirect remuneration in exchange for disclosing PHI:
(a) Public health activities;
(b) Research purposes as long as the remuneration received is reasonable cost-based fee to cover the cost to prepare and transmit the information for research purposes;
(c) Treatment and payment purposes;
(d) Sale, transfer, merger, or consolidation of all or any part of the Company and for related due diligence;
(e) Services rendered by a subcontractor business associate at the specific request of the Company;
(f) To a member or their personal representative when requested; or
(g) Otherwise required by law permitted under the privacy regulations.
Note: HIV, alcohol and/or substance abuse and mental health treatment records and genetic information enjoy additional confidentiality protections by state and federal law that must be followed. Questions concerning the disclosure of these types of information should be raised with the Privacy Officer.
2. Incidental Disclosures: Incidental uses or disclosures of PHI which occur as a by-product of an otherwise permitted or required use or disclosure are not considered to be violations of HIPAA, provided adequate safeguards have been put into place and minimum necessary policies have been implemented.
3. Patient Restrictions: A member has the right to request restrictions on how a covered entity uses or discloses their PHI to carry out treatment, payment and health care operations.
1. The applicable covered entity has to agree to restrictions made by members to restrict disclosure of PHI to a health plan if: a) the PHI pertains solely to health care items or services for which the member has paid the Company in full; and b) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law. If the covered entity informs the Company about such restrictions, the Company must similarly comply.
2. For all other member restriction requests the covered entity does not have to agree to such restrictions. When a request for a restriction is made by a member, the covered entity should make the determination whether it will honor the restriction. If the Company is informed of an approved restriction, the Company must also honor the restriction.
3. Company staff may not agree to any restrictions on the covered entity’s uses or disclosures of PHI without the prior approval of the covered entity.