Confidentiality of Medical Records
- Physicians (does not apply to Cal MediConnect)
- Participating Physician Groups (PPG)
(does not apply to HSP)
Members are entitled to confidential treatment of member communications and records. Case discussion, consultation, examination, claims and treatment are confidential and must be conducted discreetly. A provider shall permit a patient to request, and shall accommodate requests for, confidential communication in the form and format requested by the patient, if it is readily producible in the requested form and format, or at alternative locations. The confidential communication request shall apply to all communications that disclose medical information or provider name and address related to receipt of medical services by the individual requesting the confidential communication. Written authorization from the member or authorized legal representative must be obtained before medical records are released to anyone not directly concerned with the member's care, except as permitted or as necessary for administration by the health plan.
Health Net requires participating providers to have a written policy in place that provides for the protection of confidential protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The policy must be kept in hard copy or electronic format and must include a functioning mechanism designed to safeguard records and information against loss, destruction, tampering, unauthorized access or use, and verbal discussions about member information to maintain confidentiality.
Provider agrees that all health information, including that related to patient conditions, medical utilization and pharmacy utilization, available through the portal or any other means, will be used exclusively for patient care and other related purposes as permitted by the HIPAA Privacy Rule.
PHI is considered confidential and encompasses any individual health information, including demographic information collected from a member, which is created or received by Health Net and relates to the past, present or future physical, mental health or condition of a member; the provision of health care to a member; or the past, present or future payment for the provision of health care to a member; and that identifies the member or there is a reasonable basis to believe the information may be used to identify the member. Particular care must be taken, as confidential PHI may be disclosed intentionally or unintentionally through many means, such as conversation, computer screen data, faxes, or forms. Disclosure of PHI must have prior, written member authorization.
Sensitive services are defined as all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924-6930 of the Family Code, and Sections 121020 and 124260 of the California Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the services.
Effective July 1, 2022, Assembly Bill 1184, amends the Confidentiality of Medical Information Act to require health care plans to take additional steps to protect the confidentiality of a subscriber’s or enrollee’s medical information regardless of whether there is a situation involving sensitive services or a situation in which disclosure would endanger the individual.
These steps include:
- A protected individual (member) is not required to obtain the primary subscriber or other enrollee’s authorization to receive sensitive services or to submit a claim for sensitive services if the member has the right to consent to care.
- Not disclose a member’s medical information related to sensitive health care services to the primary subscriber or other enrollees, unless the member’s authorization is present.
- Notify the subscriber and enrollees that they may request confidential communications and how to make the request. This information must be provided to “enrollees” at initial enrollment and annually.
- Respond to confidential communications requests within:
- 7 calendar days of receipt via electronic or phone request or
- 14 calendar days of receipt by first-class mail
- Communications (written, verbal or electronic) regarding a member’s receipt of sensitive services should be directed to the member’s designated mailing address, email address, or phone number. For protected individuals who may not have designated an alternative mailing address, the provider and/or Plan is required to send the communications to the address or phone number on file in the name of the protected individual.
- Confidential communication includes:
- Bills and attempts to collect payment.
- A notice of adverse benefits determinations.
- An explanation of benefits notice.
- A plan’s request for additional information regarding a claim.
- A notice of a contested claim.
- The name and address of a provider, description of services provided, and other information related to a visit.
- Any written, oral, or electronic communication from a plan that contains protected health information.
The relationship and communication between a participating provider and member is privileged and the medical records containing information about the relationship is confidential. The participating provider's code of ethics, as well as California and federal law, protect against the disclosure of the contents of medical records and protected health information (PHI), whether written, oral or electronic, to individuals or agencies that are not properly authorized to receive such information.
Protected health information (PHI) may be shared with participating providers in the same facility only, on a need-to-know basis, and may be disclosed outside the facility only to the extent necessary such release is authorized.
In accordance with the Health Insurance Portability and Accountability Act (HIPAA), PHI, whether it is written, oral or electronic, is protected at all times and in all settings. Disclosure of PHI must have prior written member authorization. Health Net participating providers only release PHI without authorization when:
- Needed for payment
- Necessary for treatment or coordination of care
- Used for health care operations (including, but not limited to, Healthcare Effectiveness Data and Information Set (HEDIS®) reporting, appeals and grievances, utilization management, quality improvement, and disease or care management programs)
- Where permitted or required by law
Health Net and participating providers may transmit PHI to individuals or organizations, such as pharmacy or disease management vendors, who contract to provide covered services to members. PHI cannot be intentionally shared, sold or otherwise used by Health Net, its subsidiaries, participating providers, or affiliates for any purpose other than for payment, treatment or health care operations or where permitted or required by law without an authorization from the member.
AB 715 (ch. 562, 2003) supports compliance with HIPAA and applicable state laws relating to use of PHI for marketing. Marketing is defined as a communication about a product or service that encourages recipients to purchase or use the product or service. Health plans, providers, pharmaceutical benefit managers, and disease management entities are prohibited from using PHI to market a product or service unless the communication meets one of the exceptions described below:
- Written or oral communication whereby the communicator receives no compensation from a third party
- Communications made to a current member solely for the purpose of describing a provider's participation in an existing health care provider network or health plan network to which the member subscribes
- Communications made to a current member solely for the purpose of describing products, services, payment, or benefits for the health plan to which the member subscribes
- Communication to describe a plan benefit or an enhancement or replacement to a benefit
- Communications describing the availability of more cost-effective pharmaceuticals
- Compensation communications tailored to a specific individual that educate or advise them about disease management or life-threatening, chronic or seriously debilitating conditions if:
- The member receiving the communication is notified in writing that the provider, contractor or health plan has been compensated, and identifies the source of the compensation
- The communication must include information on how the member can opt out of receiving further communications by calling a toll-free number and must be written in 14 point font or larger. No communication can be made to a member who has opted out after 30 days from the date of the request
- Special authorization is required for uses and disclosures involving sensitive conditions, such as psychotherapy notes, AIDS or substance abuse. To release PHI regarding sensitive conditions, Health Net and participating providers must obtain written authorization from the member (or authorized representative) stating that information specific to the sensitive condition may be disclosed.
In the event the member is unable to give authorization, Health Net or the participating provider accepts the authorization of the person holding power of attorney or any other authorized representative in order to release information or have access to information about the member. Refer to the Procedure discussion for more information regarding authorized representatives.
Members may obtain their own medical records upon request. Adult members have the right to provide a written addendum to the medical record if the member believes that the record is incomplete or inaccurate. Members may request that their PHI be limited or restricted from disclosure to outside parties or may request the confidential communication of their PHI to an alternate address. Members may file a grievance with respect to any concerns they have regarding confidentiality of data.
Participating providers, policies and procedures governing the confidentiality of medical records and the release of protected health information (PHI) must address levels of security of medical records, including the:
- Assurance that the files are secure and not accessible to unauthorized users
- Indication of who has access to the medical records
- Identification of who may execute different database functions for computerized medical records
- Assurance that staff is trained with respect to the Health Insurance Portability and Accountability Act (HIPAA), privacy requirements and related policies
- Signed confidentiality agreements on file from staff who have access to medical records
- Assurance that photocopies or printouts of the medical records are subject to the same control as the original record
- Designation of a person to destroy the medical record when required
Release of medical information guidelines must address:
- Requests for PHI via the telephone
- Demands made by subpoena duces tecum
- Timely transfer of medical records to ensure continuity of care when a Health Net member chooses a new primary care physician (PCP)
- Availability and accessibility of member medical records to Health Net and to state and federal authorities or their delegates involved in assessing quality of care or investigating enrollee grievances or other complaints
- Availability and accessibility of member medical records to the member in a timely manner in accordance with industry standards and best practices
- Requirements for medical record information between providers of care:
- A physician or licensed behavioral health care provider making a member referral must transmit necessary medical record information to the provider receiving the member referral
- A physician or licensed behavioral health care provider furnishing a referral service provides appropriate information back to the referring provider
- A physician or licensed behavioral health care provider requesting information from another treating provider as necessary to provide care. Treating physicians or licensed behavioral health care providers may include those from any organization with which the member may subsequently enroll
An authorization form must be in plain language and contain the following to be HIPAA-compliant:
- A specific and meaningful description of the information to be used or disclosed
- The name of the person or entity authorized to make the requested use or disclosure
- The name of a person or entity to which the use or disclosure may be made
- A description of each purpose or use for the information. If the individual requests the authorization for their own purposes, the description here may read simply "at the request of the individual"
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
- The signature of the individual and the date
- If the personal representative signs for the individual, a description of such representative's authority to act for the individual must be provided
- A statement about the individual's right to revoke the authorization at any time if the revocation is in writing, the exceptions to the revocation right, and a description of how the individual may revoke the authorization. Alternatively, the revocation statement may state the individual's right to revoke and instruct the individual to refer to the covered entity's Notice of Privacy Practices for instructions and limitations on revocation
- A statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization, unless a valid exception applies (such as, pre-enrollment underwriting or information needed for payment of a specific claim for benefits), but the authorization cannot require release of psychotherapy notes for either exception
- The consequences to the individual of a refusal to sign when the plan can condition enrollment in the health plan, eligibility for benefits or payment on failure to obtain such authorization
- A statement that the information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer protected by the privacy rule