Can Medical Providers Disclose Health Information When Seeking Payment?

There are a variety of situations where disputes may arise regarding the use and disclosure of protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) ensures that people's private information will be kept confidential when they receive medical treatment. However, this can sometimes present difficulties for medical providers who need to seek payment for the services provided to patients. When disputes arise regarding whether a provider improperly disclosed a patient's PHI, it is important for the parties involved to understand how the laws may apply in these situations.

HIPAA Rules for Communicating With People Other Than Patients

In most cases, HIPAA prohibits the disclosure of protected health information unless a provider receives written permission from a patient. However, HIPAA's Privacy Rule does allow providers or people or organizations they employ, such as collection agencies, to disclose PHI when necessary to obtain payments for health care services that were provided to patients.

A provider may contact people other than the patient to pursue payment, such as the person's spouse or others who handle their financial affairs, as well as insurance companies or payment providers. For instance, if a person had paid for a service with a credit card, and they later disputed that charge, the provider may contact the credit card company and provide evidence that the services were provided to the patient. By providing information to show that the charge was valid, the provider may be able to resolve the dispute and receive payments for services performed. The Privacy Rule does not place any limits on parties to whom disclosures may be made, so providers are allowed to make reasonable, necessary disclosures to collect payments.

It is important to note that while HIPAA does allow disclosures in some situations, the information disclosed should be limited to the minimum that is reasonably necessary. Providers should have policies and procedures in place to limit access to protected health information within the organization or by external providers such as collection agencies. Requests for information should be reviewed on a case-by-case basis to ensure that a provider is following the correct procedures and protecting patients' privacy.

For the purposes of collecting payments, healthcare providers will generally need to limit the information provided to people other than patients to the most basic information about the services that were performed. For example, to demonstrate that a patient received services, the provider may submit a copy of an invoice while redacting information about the types of treatment the patient received and other sensitive identifying information, such as their birth date and Social Security number. Information provided may include the patient's name, the date they received treatment, and the total cost of the services provided.

Contact Our Cook County HIPAA Dispute Mediator

When disputes related to the use or disclosure of sensitive personal information arise, patients, healthcare providers, or other parties who are involved will need to understand their options for resolving these issues. At Privacy & Technology Mediation Services, we provide mediation and dispute resolution services, and with our understanding of the laws and rules surrounding HIPAA and PHI, we can provide guidance on how to handle these issues effectively. To set up a free consultation and learn more about our mediation services, contact our Chicago HIPAA dispute resolution professional at 312-767-3900.

Sources:

https://www.hhs.gov/hipaa/for-professionals/faq/266/does-the-privacy-rule-permit-a-covered-entity-to-communicate-with-other-parties-regarding-a-bill/index.html

https://www.govinfo.gov/content/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec164-514.xml