HIPAA 101: Understanding Permitted Uses and Disclosures
Working with a Revenue Cycle Management Vendor is Included Under the Law
Patients today are able to receive improved medical care thanks to how easy it is to generate, use, and share information among medical professionals, including health insurance plan providers, who play an important role in ensuring their members’ medical treatments are well-coordinated and appropriate, and medical extended business offices.
The ability for each of these players, including the patients themselves, to access health information to make decisions and provide timely care are several reasons that make health reform so important in this country.
Even HIPAA Participates in the Revenue Cycle
The Privacy, Security, and Breach Notification Rules under HIPAA actually support information sharing by assuring patients that their health data would be kept confidential except for important and appropriate purposes, like coordinating care, billing, and filing insurance claims.
Other important aspects of HIPAA are to:
- Protect insurance coverage of workers after they lose or change their job
- Protect the privacy of medical information
- Set standards for transactions of electronic medical records, including the establishment of the Electronic Data Interchange (EDI)
- Establishes rules and consequences for fraudulent medical reporting practices
- Standardized medical codes
Healthcare Practitioner and Clinic Resources
Although regulations have been in place since 1996, health care providers sometimes feel uncertain about what is permissible under the Health Insurance Portability and Accountability Act (HIPAA). This confusion could be an obstacle to appropriately sharing digital health information.
To help alleviate this confusion, the United States Department of Health and Human Services (HHS), the Office of the National Coordinator for Health IT, and the Office for Civil Rights have collaborated to create two informative fact sheets that cover the HIPAA Permitted Uses and Disclosures, along with examples of how and when protected health information can be shared without requiring authorization from the patient.
Find these documents on the HHS website.
- Permitted Uses and Disclosures: Exchange of Health Care Operations
This fact sheet clarifies that an entity covered under HIPAA can disclose PHI to another covered entity for the purposes of providing health care. It also includes examples of how sharing PHI helps health care providers to coordinate care, enable case management, and conduct assessments for quality improvement.
A covered entity can share PHI with another covered entity for the purposes of providing medical care as long as both have or have had a provider-patient relationship with the patient in question, the PHI pertains to that relationship, and only the minimum required information is disclosed.
- Permitted Uses and Disclosures: Exchange for Treatment
This fact sheet indicates how health care providers should go about sharing PHI among each other to coordinate care for their patients, without needing patient consent, while still following HIPAA.
Covered entities may share PHI with hospitals and affiliated surgeons, business associates (like an extended business office medical billing vendor), and downline care facilities, like rehabilitation centers, as long as it is medically necessary for the patient.
Contracts with Business Associates Like EBOs
When you hire a contractor to perform business associate services, HIPAA requires that the contract between the covered entity and business associate include protections for PHI.
The contract must include specific information about safeguards on the individually identifiable PHI used or disclosed by the business associate. The contract must also indicate that the covered entity may not use or disclose PHI in a way that would violate HIPAA.
Your Notice of Privacy Practices for Patients
If you aren’t doing so, your practice should be requiring every patient to acknowledge and sign a copy of your Notice of Privacy Practices.
This document should outline permitted uses and disclosures of PHI, including those explained above. If you need assistance with creating a Notice of Privacy Practices, you can find sample documents online from HHS.
Working with a Medical Extended Business Office
Your medical practice works hard to care for your patients while upholding HIPAA law. Take one thing off your plate by working with Assistentcy, a revenue cycle management vendor and EBO medical billing company based in Lenexa, Kansas.
Our team at Assistentcy will help you create and enact a plan to handle self-pay accounts in a timely manner, with the goal of decreasing AR days and improving your revenue cycle. Whether you need a hospital EBO or one for your medical practice, Assistentcy can help you achieve financial strength without compromising on the quality patient care you’re known for providing. Rest assured that we adhere to HIPAA law, and all our team members are well-versed in proper handling of PHI.