Skip to main content
A Better Partnership


Aug 2010
August 12, 2010

HIPAA Isn't a Shield Against Third-Party Payor Audits

A frequent question of physicians, medical practices and other providers I represent is whether the HIPAA Privacy Rule prohibits them from providing third-party payors with access to medical records for the purposes of an audit. In other words, does HIPAA prevent third-party payors from conducting post-payment audits?

The Privacy Rule, which provides a foundation of federal protection for private health information, sets important boundaries on the release of medical records to third parties. The Rule prohibits a health care provider from disclosing protected health information without an authorization by the patient, unless this prohibition would interfere with patient access to, or the quality of, health care. An underlying premise of the Rule is that access to treatment and efficient payment for health care is essential to the effective operation of the health care system, and that certain health care operations are essential to support treatment and payment.

To this end, the Privacy Rule permits covered entities, including health care providers, to use and disclose protected health information -- with certain exceptions -- for treatment, payment and health care operations without the patient's authorization.

According to the Privacy Rule, "payment" includes health care providers' attempts to obtain payment or be reimbursed for their services, and a health plan's work to provide benefits. Examples of "payment" actions include review of health care services with respect to medical necessity, coverage, appropriateness of care or justification of charges.

Obviously, post-payment audits, which include reviewing physician documentation in medical records to determine if the services meet payor criteria for reimbursement, fall within this HIPAA definition of "payment." Therefore, a health care provider is permitted to disclose medical records to a health plan during this "payment" function without an authorization from the patient.

Although health care providers typically cannot prevent an audit from occurring, there are many steps providers can take to improve their chances of a successful outcome. Health care providers should consult with counsel experienced in audit defense as soon as they are notified of an audit. If you have questions about audits or have been notified that your entity is being audited, please contact Deborah Williamson ( or 248.784.5056) or another attorney in the Warner Norcross & Judd Health Law Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -