Skip to Main Content

Print | Bookmark | Email | Font Size: + |

December 1, 2022

Disclosure of Protected Health Information

According to 45 CFR §164.506 disclosures to carry out treatment, payment and health care operations are permitted without an authorization. Covered entities can disclose personal health information to ensure access to treatment, proper reimbursement, and quality improvement activities.

Covered entities include:

  • Healthcare providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.
  • Health insurance companies, HMOs, company health plans
  • Government programs which pay for health care such as Medicare, Medicaid, military, veteran's health
  • Health care clearinghouse such as billing services and health management information systems

Access to treatment and efficient payment require the use of protected health information which is essential to healthcare operations. These operations may include:

  • Administrative
  • Financial
  • Legal
  • Quality Improvement Activities

These operations are necessary for a covered entity to run its business. They are essential to support treatment and payment for services rendered.

Applying the Rule

The Privacy Rule permits health care covered entities to use and disclose personal health information (PHI) without authorization for:

  • Treatment: the provision, coordination, or management of healthcare and related services by one or more health care providers
  • Payment: activities of healthcare providers to obtain payment or be reimbursed for their services

Common payment activities include:

  • Determining eligibility or coverage under a plan
  • Risk adjustments
  • Billing and collection activities
  • Reviewing health care services for medical necessity, coverage, justification of charges, etc.
  • Utilization review activities

Responding to Additional Document Requests (ADR)

According to the SSA section 1833 (e) contractors are authorized to gather medical documentation to determine proper payment for services. ┬áPer Medicare Program Integrity Manual Chapter 3 § the MACs, CERT, SMRCs, and RAC shall:

request records related to the claim(s) being reviewed and have the discretion to collect documentation related to the beneficiary's condition before and after a service.

The benefits of a covered entity complying to an ADR request include but are not limited to:

  • Payment for services rendered
  • Preventing delays in providing health care services
  • Facilitating quality improvement practices
  • Guidance and education related to services provided to ensure proper reimbursement
  • Preventing recoupment of funds
  • Decrease time spent going through the appeals process

If a covered entity chooses not to comply with an ADR request from a MAC or another government program which handles Medicare and Medicaid, it may result in one or more of the following:

  • Recoupment of all or partial amount of funds
  • A denial of all claims submitted
  • A lengthy appeals process
  • Delays in reimbursement for services rendered
  • Delays in providing health care services to beneficiaries
  • Beneficiary dissatisfaction
  • Poor quality improvement results
  • Investigations into billing practices

As a covered entity, CGS Administrators must comply with HIPAA rules. PHI disclosed to CGS Administrators for medical review is protected from misuse and kept confidential.



26 Century Blvd Ste ST610, Nashville, TN 37214-3685 © CGS Administrators, LLC. All Rights Reserved