HIPAA Privacy Rule

HIPAA Privacy Rule " Understanding Health Oversight Disclosures

HIPAA Privacy Rule Understanding Health Oversight Disclosures

At Healthcare Compliance Pros, we occasionally receive questions about disclosures for health oversight purposes. Health oversight can include disclosures for a variety of entities at the federal, state, and local levels. There are times when these entities will request health information about individuals, which leads to questions about if and how the information should be disclosed under the HIPAA Privacy Rule.

Under certain key provisions in the HIPAA Privacy Rule, covered entities are permitted to share protected health information (PHI) electronically with health oversight agencies without written authorization from the individual patient.

According to the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR), the HIPAA provision works across the following settings where health oversight occurs:

  • A health plan that shares beneficiary PHI with the state health insurance commissioner responsible for evaluating insurers' conduct in the marketplace;
  • A physician who sends her patients' PHI to the state medical board investigating patient complaints;
  • A nursing home that sends PHI to the state Medicaid fraud office in response to its request for data that could validate compliance with Medicaid billing guidelines;
  • A hospital that shares PHI with the U.S. Food and Drug Administration in connection to an investigation about the safety of certain implantable devices;
  • A health plan sending beneficiary enrollment PHI to a state insurance department conducting an audit to ensure civil rights compliance; and
  • Providers disclosing PHI to Centers for Medicare and Medicaid Services (CMS) contractors conducting Medicaid compliance work on behalf of CMS.

Remember, that even these types of disclosures must be kept to the minimum necessary for the intended purpose and always be disclosed in accordance with HIPAA Security Rule considerations.

Please contact us if you have additional questions, such as questions about permissible disclosures, by phone: 855-427-0427 or by email: support@hcp.md