Q&A | Privacy and HIPAA

Ask the Experts: HIPAA compliance

Q&A | Privacy and HIPAA

Ask the Experts: HIPAA compliance

What are the HIPAA implications of accessing existing subscriber information in our records for patients who don’t have their insurance information?

We were recently having an internal discussion about whether the following scenarios are HIPAA compliant: 

Scenario 1: A patient comes to the emergency department and tells registration that she can't remember her insurance information but has the same insurance as her spouse. She asks that we get the information from his account. I feel this is HIPAA compliant because we are accessing his record to gain information for payment on the account which is exempt from HIPAA due to this business purpose of payment. Do you agree?  

Scenario 2: A patient has an insurance card but does not know the subscriber's date of birth. We see that the subscriber has been treated at our hospital before, so we get that information from his account. Again, same reasoning as above to conclude that this is not a HIPAA violation. Do you agree? 

Scenario 3: We are starting a project to use a new software tool to discover insurance coverage. If coverage is found, we add the coverage and bill insurance. Can patients object to this because they did not provide the insurance information to us? Again, same reasoning as above that this is not a HIPAA violation. Do you agree? 

Our security officer is asking that we specifically document these types of situations in a department procedure manual that states what is and is not okay. He wants to be able to determine more specifically if the employee had a business purpose for accessing patient records and to what extent the record can be accessed.

Answer 1Regarding scenario 1, patient A can’t give authorization to look at patient B’s information. The patient or the hospital staff could call her spouse at a number she provides to either ask for that information or ask if it is acceptable to access and use the information in his account. 

It is the same answer for Scenario 2.   

For scenario 3, patients can object, but not based on HIPAA, if the tool is using data from its own database rather than data the hospital collected from anyone other than the patient. 

This question was answered byMarty Knutson is a health lawyer in private practice and is a member of HFMA’s Southern California Chapter. 

Answer 2: My only caution is with scenario 3 (i.e., found insurance not provided by the patient). If the patient registered as self-pay, unless there is documentation from the patient stating they have insurance but do not have that information with them, I would confirm with the patient that it is all right to bill the discovered insurance. There are occasions when patients may not want the insurance billed for a service and obtaining patients' permission would be good policy. 

This question was answered by: Suzanne Lestina, director of administrative simplification, American Hospital Association, and a member of HFMA’s First Illinois Chapter. 

Answer 3: Interesting. I can’t answer scenario 1 because we don’t have an emergency department.   

Regarding scenario 2, I would assume if we have enough information on the insurance card (e.g., policy number) to run an eligibility check through our eligibility software then we’re done. No need to check another account.  

We use an insurance discovery system if insurance has terminated and we are looking for new coverage and not easily able to contact the patient. Our patients are often with us for some time. I don’t see why that would be a HIPAA violation. I am not an attorney or privacy expert but would agree that this is all part of “payment and operations” in which you are using data as needed to support the business need. Account documentation would show the employee working the normal processes as a result of learning that coverage has changed.  

This question was answered by: Ruth Landé, senior vice president patient revenues, Memorial Sloan-Kettering Cancer Center, and a member of HFMA’s Metropolitan New York Chapter. 

The information provided through the Forum’s Ask the Expert service does not constitute legal advice, even when the advice is provided by lawyers. You need to obtain your own legal counsel for legal advice and consider the laws and regulations that govern your state. The content and opinions expressed are those of the Forum experts, and not that of their employers or of HFMA. HFMA does not endorse the material or warrant or guarantee its accuracy. The responses are based only on the specific facts or circumstances provided. Forum experts cannot be held liable for outcomes related to any information provided.


Related Articles | Privacy and HIPAA

Article | Healthcare Legal

Addressing unclaimed property challenges

Healthcare providers increasingly are being audited for unclaimed property.

How To | Compliance

5 steps to becoming HIPAA compliant

Healthcare organizations that qualify as HIPAA covered entities should take five steps when developing a compliance program designed to meet their obligation under HIPAA to safeguard patients’ protected health information.

How To | Compliance

How to avoid the devastating consequences of HIPAA noncompliance

The potential costs of being found noncompliant with HIPAA are too great for a healthcare provider organization not to have in place a compliance program designed to help safeguard patients’ protected health information.

Legislative and Regulatory Update | Privacy and HIPAA

$25 million in penalties demonstrates OCR focus on data security

OCR announced 10 important enforcement actions in 2018.