Live Webinar | Operations and Other Technology
Live Webinar | Patient Financial Communications
Live Webinar | Costing and Managerial Accounting
Q&A | Privacy and HIPAA

Ask the Experts: HIPAA compliance

Q&A | Privacy and HIPAA

Ask the Experts: HIPAA compliance

What are the HIPAA implications of accessing existing subscriber information in our records for patients who don’t have their insurance information?

We were recently having an internal discussion about whether the following scenarios are HIPAA compliant: 

Scenario 1: A patient comes to the emergency department and tells registration that she can't remember her insurance information but has the same insurance as her spouse. She asks that we get the information from his account. I feel this is HIPAA compliant because we are accessing his record to gain information for payment on the account which is exempt from HIPAA due to this business purpose of payment. Do you agree?  

Scenario 2: A patient has an insurance card but does not know the subscriber's date of birth. We see that the subscriber has been treated at our hospital before, so we get that information from his account. Again, same reasoning as above to conclude that this is not a HIPAA violation. Do you agree? 

Scenario 3: We are starting a project to use a new software tool to discover insurance coverage. If coverage is found, we add the coverage and bill insurance. Can patients object to this because they did not provide the insurance information to us? Again, same reasoning as above that this is not a HIPAA violation. Do you agree? 

Our security officer is asking that we specifically document these types of situations in a department procedure manual that states what is and is not okay. He wants to be able to determine more specifically if the employee had a business purpose for accessing patient records and to what extent the record can be accessed.

Answer 1Regarding scenario 1, patient A can’t give authorization to look at patient B’s information. The patient or the hospital staff could call her spouse at a number she provides to either ask for that information or ask if it is acceptable to access and use the information in his account. 

It is the same answer for Scenario 2.   

For scenario 3, patients can object, but not based on HIPAA, if the tool is using data from its own database rather than data the hospital collected from anyone other than the patient. 

This question was answered byMarty Knutson is a health lawyer in private practice and is a member of HFMA’s Southern California Chapter. 

Answer 2: My only caution is with scenario 3 (i.e., found insurance not provided by the patient). If the patient registered as self-pay, unless there is documentation from the patient stating they have insurance but do not have that information with them, I would confirm with the patient that it is all right to bill the discovered insurance. There are occasions when patients may not want the insurance billed for a service and obtaining patients' permission would be good policy. 

This question was answered by: Suzanne Lestina, director of administrative simplification, American Hospital Association, and a member of HFMA’s First Illinois Chapter. 

Answer 3: Interesting. I can’t answer scenario 1 because we don’t have an emergency department.   

Regarding scenario 2, I would assume if we have enough information on the insurance card (e.g., policy number) to run an eligibility check through our eligibility software then we’re done. No need to check another account.  

We use an insurance discovery system if insurance has terminated and we are looking for new coverage and not easily able to contact the patient. Our patients are often with us for some time. I don’t see why that would be a HIPAA violation. I am not an attorney or privacy expert but would agree that this is all part of “payment and operations” in which you are using data as needed to support the business need. Account documentation would show the employee working the normal processes as a result of learning that coverage has changed.  

This question was answered by: Ruth Landé, senior vice president patient revenues, Memorial Sloan-Kettering Cancer Center, and a member of HFMA’s Metropolitan New York Chapter. 

The information provided through the Forum’s Ask the Expert service does not constitute legal advice, even when the advice is provided by lawyers. You need to obtain your own legal counsel for legal advice and consider the laws and regulations that govern your state. The content and opinions expressed are those of the Forum experts, and not that of their employers or of HFMA. HFMA does not endorse the material or warrant or guarantee its accuracy. The responses are based only on the specific facts or circumstances provided. Forum experts cannot be held liable for outcomes related to any information provided.

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Privacy and HIPAA

Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Cybercrime against healthcare organizations overwhelms the federal Office for Civil Rights, the cost of health inequities could reach $1 trillion, and primary care physicians need more hours in the day to provide recommended care.

Blog | Healthcare Legal

CMS says EMTALA covers situations in which terminating a pregnancy is medically necessary

Even in situations that don’t qualify as life-threatening, the Biden administration says patients have the legal right to receive any type of stabilization measure at the discretion of their physician.

Blog | Coronavirus

HHS policy update: Recent developments include an extension of the public health emergency and notable progress in reducing the Medicare appeals backlog

HHS Secretary Xavier Becerra signed a 90-day extension of the COVID-19 public health emergency, ensuring the PHE will last until at least mid-July.

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Cyberattacks on NFP hospitals increased substantially during the COVID-19 pandemic and show no signs of abating, Fitch says.