Q&A: Faxing a HEDIS request without identifying the patient

Q. Is it a HIPAA violation if a hospital receives a faxed Healthcare Effectiveness Data and Information Set (HEDIS) request and the hospital cannot identify the patient by full name, last name, or birthdate?

These requests contain name, birthdate, provider, HEDIS measure (chlamydia screening, cervical cancer screening, cholesterol management, etc.), and last date of service of the patient. Typically, these faxed requests are from business associates of the patient's health insurance, but occasionally they come directly from the insurance company.

A. CEs are permitted to release PHI without the patient’s authorization or consent for treatment, payment, and healthcare operations. HEDIS data requests are considered part of quality-related healthcare operations. You may release the requested information if:

• You have enough information to clearly identify the patient
• The health plan has or had a relationship with the patient
• The period for which information is needed overlaps with the period the patient was enrolled in the health plan

To confirm that a business associate (BA) is working for the patient’s health plan, it is reasonable to request a letter of confirmation from the health plan that a particular BA is working on its behalf. Many health plans routinely submit such letters with their HEDIS requests to confirm the identity of the BA that will be requesting the information.

Editor's note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.