Health plans can communicate patient information without their authorization primarily for purposes related to treatment, payment, or healthcare operations. Orth instances, like a health plan communicating benefits, may also not require authorization.
A health plan is defined as any individual or group plan that provides or pays for medical care which includes a wide range of options like employer-sponsored health insurance, government programs such as Medicare and Medicaid, as well as private health insurance plans. HIPAA classifies health plans as one of the main categories of covered entities.
These are organizations that handle and transmit protected health information (PHI). It should be noted that certain organizations fall under the exception of this classification like employer-funded group health plans with fewer than 50 participants and liability insurance plans.
Explicit authorization is required before disclosing PHI through various communication methods for purposes that extend beyond regular treatment, payment, and operations (TPO). The specific instances where covered entities like health plans need to first obtain patient authorization include:
As mentioned above, patient authorization is not necessary for the communication of PHI without patient authorization for purposes related to TPO. Simply put, this means that when health plans share information for a patient's care, process claims, or conduct administrative tasks without needing explicit patient authorization.
Insurers in the U.S. are also required by federal and state laws to send explanations of benefits (EOBs) to policyholders. An example of where this becomes tricky is discussed in a journal article published in the AMA Journal of Ethics, “When a patient is covered on a policy of someone else—a parent or a spouse—communications about claims often go to the policyholder, thereby disclosing the patient’s confidential health information.” EOBs as a necessary part of health plan operations fall under the category of TPOs and do not require authorization.
Additionally, the same exceptions that apply to other covered entities and business associates apply to health plans. This includes disclosures required by law, like those related to public health and legal proceedings. In cases of disease outbreaks or a subpoena for patient information, health plans can be compelled to share PHI.
Despite instances where authorization is not required, secure communications should be used by covered entities and business associates with every communication involving PHI. Here’s how to maintain secure HIPAA compliant communications:
Covered entities are directly subject to HIPAA while business associates perform functions on behalf of covered entities.
Consent is a patient's general agreement for the use of their PHI, while authorization is specific written permission for particular uses of PHI.
Explanation of Benefits (EOBs) is considered necessary communications for payment processing and healthcare operations although they can inadvertently disclose PHI about patients covered under someone else's insurance policy.