Can healthcare providers share PHI in billing info with the IRS?

Yes, healthcare providers can share PHI in billing information with the IRS if done with patient consent, under a legal mandate, or through a specific exception outlined by HIPAA.

What the Privacy Rule says about billing

According to an HHS summary, “Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate…”. The summary goes on to state that this individually identifiable health information includes, “...the past, present, or future payment for the provision of health care to the individual,”

Covered entities, such as healthcare providers and insurance companies, can generally only share billing information for purposes directly related to treatment, payment, or healthcare operations unless the patient provides explicit consent for other uses. For example, a hospital can share PHI with an insurance company to process payment for services rendered. Any sharing of this PHI needs to also comply with the principle of minimum necessary use, meaning that only the information needed for a specific purpose is disclosed. 

When can covered entities share PHI with the IRS

Based on an IRS notice on the topic of accessing taxpayer's PHI the instances provided for under HIPAA where this information can be shared include: 

1. Taxpayer's consent: The most straightforward scenario is when taxpayers provide explicit consent for their PHI to be shared. This consent must be clear about what information is shared and for what specific purpose. This provision allows individuals to control their information and facilitates the IRS's access to necessary data for tax-related matters.
2. Law enforcement exception: HIPAA provides an exception that states that PHI can be shared with the IRS under the law enforcement exception when it is necessary for a legitimate law enforcement purpose. This could include investigating tax fraud or other related criminal activities. The disclosure must be limited to what is legally required and directly relevant to the investigation.
3. Administrative and judicial proceedings exception: If the IRS is involved in a legal proceeding where PHI is pertinent, such as auditing a healthcare provider or a tax court case, PHI can be disclosed under this exception. A court order or a subpoena that commands the disclosure of information ensures that the process respects legal standards and is confined to the necessary scope of information.
4. Voluntary compliance with a summons: The IRS may issue a summons to a covered entity for PHI necessary for tax administration. The entity can comply voluntarily if the summons meets certain conditions.

See also: Does HIPAA allow sharing with law enforcement?

The guidelines for sharing PHI with the IRS

1. Obtain consent: Always obtain explicit and informed consent from the patient or the individual whose PHI is to be disclosed. The consent form should specify the exact information to be shared, the purpose of the sharing, and the recipient of the information (in this case, the IRS).
2. Follow legal orders: Share PHI only in response to a valid legal order such as a court order, subpoena, or summons from the IRS that specifically requests the information.
3. Adhere to the Minimum Necessary Standard: When disclosing PHI to the IRS, ensure that only the minimum amount of information necessary for the request is shared. Carefully evaluate what information is essential and limit the disclosure to that information.
4. Use secure email for transmission: If sending PHI by email, use a HIPAA compliant email. This service should provide encryption, secure access controls, and be willing to sign a business associate agreement (BAA).
5. Apply the law enforcement exception appropriately: Use this exception only when the PHI is requested for a legitimate law enforcement purpose by the IRS. Make sure the request meets the criteria for this exception.
6. Ensure administrative and judicial procedures are followed: When PHI is shared under administrative or judicial proceedings, confirm that all procedural requirements are met, including those regarding the issuance of a court order or subpoena.
7. Verify the request: Always verify the legitimacy of the IRS request for PHI. Confirm the authority of the person making the request and ensure that the request is legally sound and properly documented.
8. Document disclosure: Keep detailed records of all disclosures of PHI to the IRS, including the information shared, the purpose of the disclosure, the person authorizing the release, and the date of disclosure.

See also: Top 12 HIPAA compliant email services

FAQs

What is a HIPAA covered entity?

A HIPAA-covered entity includes healthcare providers, health plans, and healthcare clearinghouses that conduct certain transactions in electronic form.

What specific IRS requests might require access to PHI?

The IRS may require access to PHI for auditing healthcare providers, investigating tax fraud involving medical deductions, or verifying compliance with healthcare-related tax laws.

Is patient consent always required to share PHI with the IRS?

No, patient consent is not always required, especially in cases involving legal mandates, court orders, or specific IRS summonses that qualify under HIPAA exceptions.

What does the "minimum necessary standard" mean in the context of sharing PHI with the IRS?

The "minimum necessary standard" requires that only the minimum amount of PHI necessary for accomplishing the intended purpose be disclosed to the IRS