HIPAA Privacy Guidance on Disclosing Protected Health Information

HIPAA Privacy Guidance on Disclosing Protected Health Information

CMS want to make you aware of a Frequently Asked Question (FAQ) that the HHS Office for Civil Rights (OCR) answered which explains the circumstances under which a health plan, such as a Part D plan sponsor, may disclose protected health information (PHI) to a person who calls the plan on the beneficiary’s behalf.  You can readily access the FAQ from the “What’s New” column on the OCR Web site, http://www.hhs.gov/ocr/hipaa/, by clicking on “FAQ on Health Plans Disclosing PHI to Persons Assisting Beneficiaries.”  

The FAQ states that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits a health plan (or other covered entity) to disclose PHI to a person, such as a family member, relative, or close personal friend, who’s involved with the individual’s care or payment.  The FAQ also gives the example of a Medicare Part D plan disclosing PHI to a staff person with the Centers for Medicare & Medicaid Services who’s assisting a beneficiary with his/her Medicare prescription drug coverage.  

The Privacy Rule’s verification requirements relating to the identity and authority of a person requesting PHI are met if a Part D plan sponsor (or other covered entity) relies on the exercise of professional judgment in making a disclosure under the circumstances explained in the FAQ. In exercising its professional judgment, a plan may disclose PHI to any person assisting a beneficiary, including:  a family member or friend; staff working for a Federal, State, or local agency providing assistance for a public benefits program; Congressional office; and a private patient assistance organization.  These provisions support a major goal of the Privacy Rule in assuring that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care.