A frequent question of physicians, medical practices and other providers I represent is whether the HIPAA Privacy Rule prohibits them from providing third-party payors with access to medical records for the purposes of an audit. In other words, does HIPAA prevent third-party payors from conducting post-payment audits?
The Privacy Rule, which provides a foundation of federal protection for private health information, sets important boundaries on the release of medical records to third parties. The Rule prohibits a health care provider from disclosing protected health information without an authorization by the patient, unless this prohibition would interfere with patient access to, or the quality of, health care. An underlying premise of the Rule is that access to treatment and efficient payment for health care is essential to the effective operation of the health care system, and that certain health care operations are essential to support treatment and payment.
To this end, the Privacy Rule permits covered entities, including health care providers, to use and disclose protected health information -- with certain exceptions -- for treatment, payment and health care operations without the patient's authorization.
According to the Privacy Rule, "payment" includes health care providers' attempts to obtain payment or be reimbursed for their services, and a health plan's work to provide benefits. Examples of "payment" actions include review of health care services with respect to medical necessity, coverage, appropriateness of care or justification of charges.
Obviously, post-payment audits, which include reviewing physician documentation in medical records to determine if the services meet payor criteria for reimbursement, fall within this HIPAA definition of "payment." Therefore, a health care provider is permitted to disclose medical records to a health plan during this "payment" function without an authorization from the patient.
Although health care providers typically cannot prevent an audit from occurring, there are many steps providers can take to improve their chances of a successful outcome. Health care providers should consult with counsel experienced in audit defense as soon as they are notified of an audit. If you have questions about audits or have been notified that your entity is being audited, please contact Deborah Williamson (firstname.lastname@example.org or 248.784.5056) or another attorney in the Warner Norcross & Judd Health Law Group.