Q. I’m having problems with managed care companies requesting PHI for their Healthcare Effectiveness Data and Information Set (HEDIS) quality reviews. When I ask them for the individual’s signed enrollment agreement to ensure that disclosure is appropriate, some of them tell me this is covered in our Notice of Privacy Practices (NPP). This doesn’t seem correct to me. Our NPP tells patients how we use their PHI, not how the managed care company uses it. Is it okay to release this information to the managed care company without the patient’s authorization?
A. Your interpretation is correct; your NPP explains how your organization uses PHI, not how payers may use it. However, you are permitted to disclose PHI to other CEs (such as managed care companies) for their healthcare operations, which would include HEDIS quality reporting. You don’t need the patient’s authorization for this disclosure, as long as both of the CEs have a relationship with the patient.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.