HIPAA Requirements & Allowed Activities

We understand that the Health Insurance Portability and Accountability Act (HIPAA) may create some questions about appropriate access to protected health information. Therefore, we are providing information to clarify the access that AmeriHealth Caritas Pennsylvania is afforded under the HIPAA Privacy Regulations.

These regulations, effective April 14, 2003, permit a health plan (such as AmeriHealth Caritas) to request health care information about its members for purposes of treatment, payment and/or health plan operations (TPO) without the member's prior consent/authorization. This includes access to a member's medical records when necessary and appropriate. The HIPAA Privacy Regulations permit such use by health plans in order to promote ready access to treatment for its membership and efficient payment for health care services rendered.

Further, the HIPAA Privacy regulations provide that a covered entity (such as you) may disclose PHI to another covered entity (AmeriHealth Caritas) for heath care operations activities of the entity that receives the information (AmeriHealth Caritas), if each entity has or had a relationship with the individual who is the subject if the PHI being requested (our member/your patient), and that disclosure pertains to heath care operations.

"TPO" disclosures include, but are not limited to, the following:

Activities that can constitute "Treatment" include but may not be limited to:

  • The provision, coordination, management, consultation, and referral of a member between and among health care providers.

Activities that constitute "Payment" include but may not be limited to:

  • Determination of member eligibility;
  • Reviewing health care services for medical necessity and utilization review;
  • Review of various activities of health care providers for payment or reimbursement to fulfill the health plans' coverage responsibilities and provide appropriate benefits; and
  • To obtain or provide reimbursement for health care services delivered to members.

Activities that constitute "Operations" include but may not be limited to:

  • Certain quality improvement activities such as case management and care coordination;
  • Quality of care reviews in response to member of state/federal queries;
  • Prompt response to member complaints/grievances;
  • Site visits as part of credentialing and recredentialing;
  • Administrative and financial operations such as conducting health plan employer data and information set (HEDIS) reviews;
  • Member services activities; and
  • Legal activities such as audit programs, including fraud and abuse detection to assess conformance with compliance programs.

We hope this information is helpful in clarifying our right to access the protected health information of your patients and our members. If you have any questions, please contact your Provider Network Management Representative.