The onus for determining the minimum necessary for HIPAA payment falls on payers - PAS #25

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive with Modification
    • Priority: Medium
    • US Da Vinci PAS (FHIR)
    • STU3
    • Financial Mgmt
    • (profiles) [deprecated]
    • HIPAA
    • Hide

      Add the following wording:

      The profiles in this IG are defined to ensure sufficient information to properly populate the X12 specifications, though they also allow for additional data to be present. As well, the data elements in the X12 specifications are allowed to be omitted - what data is required by the payer to process a prior authorization is context and business-rule-specific. Implementers submitting prior authorization requests using PAS must be aware of (and adhere to) their responsibilities with respect to data sharing imposed by regulations such as HIPAA's "minimum necessary" rule, patient consent rules, etc. This may involve allowing providers to review information prior to data transmission to the payer. Implementations SHALL permit provider review of data prior to transmission, but SHALL NOT require such review.

      Show
      Add the following wording: The profiles in this IG are defined to ensure sufficient information to properly populate the X12 specifications, though they also allow for additional data to be present. As well, the data elements in the X12 specifications are allowed to be omitted - what data is required by the payer to process a prior authorization is context and business-rule-specific. Implementers submitting prior authorization requests using PAS must be aware of (and adhere to) their responsibilities with respect to data sharing imposed by regulations such as HIPAA's "minimum necessary" rule, patient consent rules, etc. This may involve allowing providers to review information prior to data transmission to the payer. Implementations SHALL permit provider review of data prior to transmission, but SHALL NOT require such review.
    • Robert Dieterle / Rachael Foerster: 20-0-1
    • Clarification
    • Non-substantive

      Existing Wording: No existing wording related to applicable HIPAA Privacy Rules, especially wrt to minimum necessary determinations, and enforcement of patient consent, in particular when a patient pays for services out of pocket in full and dissents from disclosure to payers.

      Proposed Wording: HIPAA Privacy Rule Considerations:

      Disclosing providers and requesting payers must ensure that the Resources included in PAS Bundle meet HIPAA Minimum Necessary provisions at 45 CFR Section 164.502(b) and 164.514(d).

      Also see HIPAA FAQs for Professionals - Minimum Necessary https://www.hhs.gov/hipaa/for-professionals/faq/minimum-necessary/index.html. In particular, see:

      Doesn't the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards? https://www.hhs.gov/hipaa/for-professionals/faq/212/does-minimum-necessary-standard-conflict-with-hipaa-transaction-standards/index.html

      Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity? https://www.hhs.gov/hipaa/for-professionals/faq/216/does-minimum-necessary-standard-apply-to-disclosures/index.html

      Disclosing providers and requesting payers must ensure that the Resources included in PAS Bundle does not pertain to an individual other than the patient except where deemed minimum necessary for purposes of payment. For example, family history may not be pertinent while records about a mother's newborn may be..

      The following is an excerpt from 45 CFR § 164.501: Payment means:

      (1) The activities undertaken by:

      (ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

      (2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided

      Comment:

      The HIPAA section should include pertinent citations to the HIPAA Privacy Rule on minimum necessary and the limitations on information which may be requested for payment purposes. The HIPAA Section should make clear that the onus of determining minimum necessary for payment purposes is on the payer, not the provider. Providers may reasonably rely that a requesting covered entity has limited that request to the minimum necessary to accomplish a permissible purpose. That said, providers are not required to disclose more than what their own policy stipulates as the minimum necessary.

      While not stated in this section, elsewhere in DaVinci, specifically CRD Considerations, the onus of determining minimum necessary is put on the provider: https://build.fhir.org/ig/HL7/davinci-crd/usecases.html, "The EMR would determine in which situations a payer system would be contacted for CRD purposes and what level of information the payer would be permitted to receive - including through the payer query mechanism. The determination of what information is shared could be influenced by patient consent and other internal business rules."

      Summary:

      The onus for determining the minimum necessary for HIPAA payment falls on payers

            Assignee:
            Unassigned
            Reporter:
            Kathleen Connor
            Kathleen Connor
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: