The connection between medical necessity and HIPAA

HIPAA's Privacy Rule recognizes medical necessity as one of the reasons why protected health information (PHI) may be disclosed without patient authorization. According to the Department of Health and Human Services, "A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities." Medical necessity determinations fall within these permitted uses and disclosures. When an insurance company reviews a claim to determine medical necessity, they are legally allowed to access relevant portions of a patient's medical record to make their coverage decision.

The Department of Health and Human Services further clarifies, "Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing." This regulation enables the entire medical necessity review process, as utilization review—the evaluation of medical necessity—is explicitly recognized as a permitted healthcare operation under HIPAA.

This HIPAA exception for payment activities enables the entire prior authorization and claims review process. Without this provision, insurance companies would need individual patient authorization for every medical necessity review. The law recognizes that effective healthcare coverage requires insurers to have access to medical information necessary to make informed coverage decisions.

However, HIPAA also provides important protections around these disclosures. The minimum necessary standard requires that covered entities limit their use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose. When conducting medical necessity reviews, insurance companies should only access the specific medical information needed to make their coverage determination, not the patient's entire medical history.

Learn more: What is the HIPAA Privacy Rule?

HIPAA's minimum necessary standard in medical necessity reviews

According to the Department of Health and Human Services, "A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose." This standard requires healthcare providers and insurance companies to implement policies and procedures that limit access to PHI to only what is reasonably necessary to accomplish the intended purpose. In the context of medical necessity reviews, this means that insurance companies should only request and review the specific medical information directly relevant to the coverage decision at hand.

For example, if an insurance company is reviewing the medical necessity of a cardiac procedure, they should focus on cardiac-related medical records, diagnostic tests, and treatment history rather than accessing unrelated information about the patient's mental health treatment or dermatological care. This approach protects patient privacy while still allowing for thorough medical necessity evaluations.

Healthcare providers are responsible for being mindful of the minimum necessary standard when responding to requests for medical information from insurance companies. They should provide sufficient detail to support medical necessity without unnecessarily disclosing irrelevant personal health information. This balance requires careful consideration of what information is truly necessary for the coverage decision.

As noted in Privacy Protection in Billing and Health Insurance Communications, "Because our health insurance landscape currently requires disclosure of a great deal of confidential health information for processing of claims and other administrative purposes, meeting this ethical obligation presents a major challenge." The challenge is added on by the fact that "Protecting patients' privacy and the confidentiality of their health information is a fundamental ethical requirement for health care professionals."

Learn more: How to determine the minimum necessary information

Challenges and controversies

The intersection of medical necessity and HIPAA creates several challenges in healthcare delivery. One issue is the potential for medical necessity determinations to delay patient care. When insurance companies require extensive documentation or lengthy review processes, patients may experience delays in receiving needed treatments. These delays can be problematic for urgent or time-sensitive medical conditions.

Another challenge is the subjective nature of medical necessity determinations. What one medical professional considers necessary, another might view as optional or experimental. This subjectivity can lead to inconsistent coverage decisions and appeals processes that may not always result in fair outcomes for patients. The interpretation of medical evidence and clinical guidelines can differ among reviewers, creating uncertainty for both patients and providers.

Privacy concerns also arise when multiple parties are involved in medical necessity reviews. As the Department of Health and Human Services notes, "The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes." Insurance companies may share medical information with third-party review organizations, pharmacy benefit managers, or other entities involved in coverage decisions. Each additional disclosure increases the risk of privacy breaches and may expose patients to a broader distribution of their personal health information.

According to Privacy Protection in Billing and Health Insurance Communications, "In tandem, and sometimes in conflict, with the myriad confidentiality requirements, federal and state laws contain many provisions that require disclosure of confidential health information." This creates situations where patients face privacy risks simply by using their insurance coverage, especially "When a patient is covered on a policy of someone else—a parent or a spouse—communications about claims often go to the policyholder, thereby disclosing the patient's confidential health information."

Furthermore, the Department of Health and Human Services emphasizes that "A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations." This requirement creates a clear boundary, but the difficulty of modern healthcare delivery can sometimes blur the lines between what constitutes routine healthcare operations and what requires specific patient consent.

The modern data environment adds to these challenges. As HIPAA and Protecting Health Information in the 21st Century explains, "HIPAA contemplated that most research would be conducted by universities and health systems, but today much of the demand for information emanates from private companies." Moreover, HIPAA "attaches (and limits) data protection to traditional health care relationships and environments," while "HIPAA-covered data form a small and diminishing share of the health information stored and traded in cyberspace."

Fair processes and transparency

According to Perspectives on Essential Health Benefits: Workshop Report, there are precedents for incorporating public deliberations into benefit coverage decision making, with Dr. Garber citing "the Medicare Evidence Development and Coverage Advisory Committee (MEDCAC) as 'a good example of a very public process with a great deal of opportunity for public input.'"

While individual medical necessity cases cannot be subject to public processes due to confidentiality concerns, the workshop report notes that there can be "a public process for 'vetting the rules that are used to make medical necessity decisions' and establishing an appropriate appeal process."

Consumer engagement in these processes is essential. As noted in the Workshop Report, consumers can participate more effectively "if they were better trained to effectively represent the public." Other countries have successfully "embedded consumers in the benefit design processes" by providing training that enables consumers to "examine the intervention under consideration and understand complex statistical arguments."

States are beginning to address these challenges through innovative approaches. According to Privacy Protection in Billing and Health Insurance Communications, "states have begun to address the problem with a variety of approaches, particularly in the commercial health insurance sector." These approaches include "management of EOBs, denials of claims, and other communications; enabling patients to request restrictions on disclosure of their health information; explicit confidentiality protections for minor and/or adult dependents."

The ultimate goal, as described in Privacy Protection in Billing and Health Insurance Communications, is to "allow health care providers to both protect patient privacy and receive payments from health insurers and to allow patients to access services they need using the health insurance coverage to which they are entitled." 

FAQs

Do patients have the right to limit what information is shared in a medical necessity review?

Patients can request restrictions, but covered entities are not required to agree if the disclosure is for payment or healthcare operations.

What role do business associates play in medical necessity determinations?

Business associates such as third-party reviewers may access PHI under HIPAA if bound by a business associate agreement.

How is subjectivity a problem in medical necessity determinations?

Different reviewers may interpret guidelines and clinical evidence differently, leading to inconsistent coverage decisions.