Since the early days of HIPAA, a steady trickle of misinterpretations, misunderstandings and half-truths have circulated informally both within the medical community and among the general public. The prevalence of social media only amplifies the effect. For example, a meme currently making the rounds on Facebook suggests using HIPAA as a strategy for convincing a health insurer to reverse a coverage denial decision. The post, entitled “Medical Hack,” began appearing this month. While containing some accurate information, the post contains a number of flaws.
It reads as follows:
So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.
OK, here is what you do:
1. Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)
2. Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.
3. They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!
4. Any refusal should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.
As with any viral post, it is prudent to fact-check this advice with reliable sources such as Snopes.com. Sure enough, Snopes has addressed the “hack” and classified it a mixture of true, false and undetermined information. See http://www.snopes.com/hipaa-medical-hack-insurance-claim-denials/
To their credit, the fact-checkers at Snopes picked up on several flaws in the strategy suggested in the hack, particularly the fact that neither HIPAA nor the Affordable Care Act require insurers to base decisions to deny coverage of services or medications on the decision of a doctor, let alone a doctor that is board certified in the specialty under which that treatment fell. (In fact, these issues are primarily regulated by state insurance laws.) To that effect, Snopes notes:
… if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy.
However, the most critical flaw in the suggested strategy is the fact that insurers and other covered entities are not required to account for all internal disclosures (and even many external disclosures for that matter), and disclosures for payment or health care operations purposes are specifically carved out of the accounting requirement in 45 C.F.R. 164.528(a). Insurance clerks, regardless of their level of education, are likely to be utilizing patient records for payment and operations purposes when processing claims denials.
With regard to the requirement to designate a “HIPAA Compliance/Privacy Officer,” the Snopes report stated “We were unable to locate any relevant portion of the act that specifically mandated what the meme claimed.” In fact, 45 C.F.R. § 164.530 states:
(a)(1) Standard: Personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
A better approach for health insurance subscribers facing denial of a treatment ordered by their physician is to follow the appeal mechanisms specified in their plans, and check their rights under applicable state law. For instance, Pennsylvania’s Act 68 includes certain standards for managed care plans and offers complaint and grievance procedures for individuals.
Lesson: Viral memes are often an unreliable source of legal advice. I’m a major fan of Snopes.com, but sometimes even Snopes doesn’t get all the details.