Skip to Main Content Skip to Footer Toggle Navigation Menu

14.6 Use or Disclosure of Protected Health Information (PHI)

14.6.1 POLICY STATEMENT

In order for the Health Plan to use or disclose (including obtaining) protected health information (PHI), the use or disclosure must either (1) fall under the enumerated uses and disclosures allowed without an individual authorization, or (2) the Health Plan must obtain an individual authorization.

14.6.2 POLICY INTERPRETATION AND IMPLEMENTATION

Use and Disclosure not Requiring an Individual AuthorizationPHI may only be used or disclosed without an individual authorization for treatment, payment, or health care operations (TPO). These purposes include:The Health Plan may use or disclose PHI for its own treatment, payment, or health care operations;The Health Plan may disclose PHI to another covered entity for the payment activities of that entity;The Health Plan may disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the disclosure is:For health care operations regarding conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not include treatment, reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, credentialing activities; orFor the purpose of health care fraud and abuse detection or compliance.Nothing in this paragraph 1, prevents the Health Plan from obtaining an individual authorization for use and disclosure of PHI for TPO purposes.
 
Use and Disclosure Requiring an Individual AuthorizationAn individual authorization is required for any use or disclosure of PHI that is not allowed without the individual authorization. This includes, but is not limited to:Psychotherapy notes;Marketing, except if the communication is in the form of:Face-to-face communication made by the Health Plan to an individual; orA promotional gift of nominal value provided by the Health Plan.
  
Definition of PHIProtected Health Information (PHI) means individually identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.
  
Definition of TPOTreatment, Payment and Health Care Operations (TPO) includes all of the following:
 Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual or referral of an individual to another provider for health care.Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations and utilization review.Health Care Operations includes functions such as quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, conducting or arranging for medical review, legal services, and auditing functions, business planning and development, and general business and administrative activities.
  
Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both.
  
Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (651) 696-6280.
  
ViolationsViolations of this policy will be subject to discipline.