It seems that requests by insurance companies or contractors for insurance companies for copies of client records is on the uptick. More providers of mental health services are receiving letters from these entities requested copies of records for one or more identified clients. These letters are not accompanied by signed written authorizations from the clients whose records they seek to access. Providers receiving these letters have uncertainty about how to respond and what information they can or are obligated to provide.
The HIPAA Privacy Rule gave health plans and self-insured employers regulatory permission to obtain information without client consent for billing and health care related matters. The Amended HIPAA Privacy Rule expanded the uses for which these entities are authorized to obtain, use and disclose protected health information (PHI) without client consent to include the following:
- Due diligence in connection with the sale or transfer of assets;
- Certain types of marketing;
- Business planning and development;
- Business management and general administrative activities; and
- Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance. Section 164.501
Treatment of clients for long periods of time or beyond a recognized average time period as experienced by the health plan seems to be a trigger for a review of records. These requests often seek copies of session notes or progress notes. I have talked to providers who received requests for copies of a client’s entire file. The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. However the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment purposes.
It is important to remember that if a provider maintains psychotherapy notes as defined by the Privacy Rule those notes are not subject to access by an Insurance company. It is also important for providers to know if they are covered entities under the Privacy Rule.
So, if the health plan has concerns about the quality of services or the length of time services have been provided it would appear to have a right to access the entire client file. If the requested use were for a billing question or issue the minimum necessary standard should apply.
Upon receipt of one of these requests I usually advise contacting the client to determine if they will provide written authorization to disclose the information requested. A provider might consider including a broad consent in their intake forms clients execute on the front end of treatment authorizing the release of any and all information requested by the client’s health plan or payer of benefits. If the client’s authorization for release of the information sought has not been obtained and the letter received does not make clear the use for which the information is being requested I advise getting clarification of use from the health plan or self insured employer before determining how to respond. That information will inform whether or not the minimum necessary rule is in effect and how much the provider should release from the client file. Some times the requesting entity will agree to accept a summary of treatment and it is worth pursuing this option.
At end of the day it is the provider’s decision on providing PHI of a client and forced with the choice of being denied payment or future inclusion on a provider panel the decision becomes personal and difficult. From my perspective more needs to be done to challenge and limit an insurance company’s access to personal and sensitive client information.
Written by Tom Hartsell, Attorney at Law