Allowed activities under HIPAA privacy regulations
The HIPAA privacy regulations allow covered entities, including health care providers and health plans (such as AmeriHealth Caritas Louisiana), the ability to use or disclose PHI about its members for the purposes of treatment, payment and/or health plan operations (TPO) without a member's consent or authorization. This includes access to a member's medical records when necessary and appropriate.
“TPO” allows a health care provider and/or AmeriHealth Caritas Louisiana to share members' PHI without consent or authorization by establishing these purposes as follows:
“Treatment” includes the provision, coordination, management, consultation, and referral of a member between and among health care providers.
Activities that fall within the "payment" category include, but are not limited to:
- Determination of member eligibility
- Reviewing health care services for medical necessity and utilization review
- Review of various activities of health care providers for payment or reimbursement to fulfill AmeriHealth Caritas Louisiana‘s coverage responsibilities and provide appropriate benefits
- To obtain or provide reimbursement for health care services delivered to members
- Certain quality improvement activities such as case management and care coordination
- Quality of care reviews in response to member or state/federal queries
- Response to member complaints/grievances
- Administrative and financial operations such as conducting Health Plan Employer Data And Information Set (HEDIS) reviews
- Member services activities
- Legal activities such as audit programs, including Fraud and abuse detection to assess conformance with compliance programs
While there are other purposes under the privacy regulations for which AmeriHealth Caritas Louisiana and/or a health care provider might need to use or disclose a member's PHI, TPO covers a broad range of information sharing.
For more information on HIPAA and/or the privacy regulation, contact Provider Services at 888-922-0007.