HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Managed care companies and PHI

Email This Post Print This Post

Q. I’m having problems with managed care companies requesting PHI for their Healthcare Effectiveness Data and Information Set (HEDIS) quality reviews. When I ask them for the individual’s signed enrollment agreement to ensure that disclosure is appropriate, some of them tell me this is covered in our Notice of Privacy Practices (NPP). This doesn’t seem correct to me. Our NPP tells patients how we use their PHI, not how the managed care company uses it. Is it okay to release this information to the managed care company without the patient’s authorization?

A. Your interpretation is correct; your NPP explains how your organization uses PHI, not how payers may use it. However, you are permitted to disclose PHI to other CEs (such as managed care companies) for their healthcare operations, which would include HEDIS quality reporting. You don’t need the patient’s authorization for this disclosure, as long as both of the CEs have a relationship with the patient.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.


Categories : HIPAA Q&A


  1. Stephanie says:

    I believe the disclosing CE is still required to obtain some assurance that the Managed Care company did in fact have a relationship with the individual who is the subject of the disclosure for the times/dates and services being requested.

  2. Ronda Hogan says:

    I verify the payor with our billing office and ask the requestor to provide a ‘relationship’ letter. However, these requests for chart reviews for various reasons are coming more frequently and are becoming more costly for providers to print and mail records. Does anyone happen to know a reason(s) in which providers are not permitted to charge the standard fees for release of information? We may be required to provide the record, but are we required to provide it free of charge?

  3. essay papers says:

    Do you understand that masters essays writing corporations don’t betray their clients. Therefore, it is available to pay for essay safely.

Leave a Reply