Does the HIPAA Privacy Rule always rule?

Know when the HIPAA Privacy Rule doesn’t apply when releasing patient PHI to Optum and other health plans.

It’s good practice to be cautious about releasing protected health information (PHI), especially when it relates to patients in your care. The HIPAA Privacy Rule outlines standards providers and health plans must follow to protect sensitive information.

On the other hand, do you know when it’s permissible to release PHI without getting additional patient consent?

What HIPAA means day-to-day

Your contract (participation agreement) with Optum includes a provision requiring you to participate in audit and medical record reviews.

HIPAA allows the release of PHI to Optum, other health plans and business associates* when it’s related to the patient’s treatment, claim payment and healthcare operations of the plan. If you have a signed HIPAA consent form from the patient, you’re all set. No additional consent is needed for the individual requests. Types of PHI requests include:

• Documentation of medical necessity to support a prior authorization request for treatment
• Medical records to validate that all services included in a claim are reflected in the patient’s file – it’s a key way to prevent payment of services that were not actually delivered
• These types of review can be done both before and after a claim is paid
• State- or plan-related audits to monitor quality, regulatory compliance
• Confirmation that a patient has attended a post-discharge appointment, so case management teams can quickly follow up with members to ensure they have access to care
• Risk adjustment audits required under the Affordable Care Act to determine the severity of illnesses of plan members
• Monitoring of HEDIS measures for required quality reporting

Your timely response matters

You may receive these record requests from Optum or UnitedHealthcare case management teams, as well as from vendors we contract with to perform these reviews. All vendors have a business associate agreement with Optum or UnitedHealthcare, compliant with HIPAA privacy regulations.

Any outreach you receive from an authorized vendor will note that they are conducting a review on our behalf, and many will have both the vendor logo and Optum or UnitedHealthcare logos. If you’re contacted by any of the vendors we work with, please provide the information they request as quickly as possible. Vendor-requested information sent to Optum or UnitedHealthcare cannot be forwarded.

Responding quickly to these requests helps members get the care they need for a successful recovery. And it helps Optum pay claims quickly and accurately, and complete required audits on time.

Want to know more about the privacy law?

Take a closer look: PHI Disclosure to Member Health Plans

*As outlined in HIPAA privacy regulations (45 CFR 160.103), Optum has entered into a business associate agreement with UnitedHealthcare. This means it can review claim information without additional patient authorization as a business associate for the purposes of enhancing member care.