Welcome to the Department of Health Care Services Welcome to Medi-Cal Welcome to the Department of Health Care Services

HIPAA: Privacy

  1. When requesting the California MMIS Fiscal Intermediary Correspondence Unit to research an issue for me, I submit all my documentation, including claims, along with my letter. Can I still do this under HIPAA regulations?

    Yes. HIPAA regulations allow providers to share information with Medi-Cal to facilitate research of billing issues.

  2. When requesting research on an issue, can I black out information on the claim that is not required for that research?

    It is not necessary to black out any information. Providers can share all claim information with Medi-Cal. Blacking out information may cause delays in processing a research request.Altered documentation causes claims to deny and makes it difficult to research billing inquiries. Providers can share all claim information with Medi-Cal. However, providers may cross out recipients they are not inquiring about with a single black line. RADs/EOMBs should never be cut or pasted.

  3. When inquiring about only one recipient on a research request, can I black out other recipients on a recipients on a Remittance Advice Details (RADs) or Explanation of Medi-Cal Benefits (EOMBs)?

    Altered documentation causes claims to deny and makes it difficult to research billing inquiries. Providers can share all claim information with Medi-Cal. However, providers may cross out recipients they are not inquiring about with a single black line. RADs/EOMBs should never be cut or pasted.

  4. According to the Code of Federal Regulations, Title 45, providers, clinics and hospitals working with a health plan like Medi-Cal may use or disclose Personal Health Information (PHI) for treatment, payment, and health care operations without patient authorization. These entities do not require a Business Associate Agreement. Does this mean that county programs like California Children's Services (CCS) and Expanded Access to Primary Care (EAPC), private health plans like Blue Cross and all provider types are examples of entities that do not require a Business Associate Agreement?

    The Business Associate Agreement is required when a provider or health plan contracts with a separate organization to perform a function using protected health information on behalf of the provider or plan (Code of Federal Regulations, §160.103). In the examples listed, an agreement is not necessary since the providers are not performing functions on behalf of the plan.

  5. The January 2003 Medi-Cal Update indicated that a Business Associate Agreement is required when a provider or health plan contracts with a separate organization that uses Personal Health Information (PHI) on behalf of a provider or plan. If a provider contracts with a clearinghouse for its services, is a Business Associate Agreement required?

    Yes. A Business Associate Agreement is required when a provider or health plan contracts with a separate organization to perform a function using Personal Health Information (PHI) on behalf of the provider or plan (Code of Federal Regulations, §160.103). By definition, a health care clearinghouse translates data content or format for another entity from non-standard to standard (or vice versa) and thus performs a function on behalf of the provider or plan that uses or involves PHI. Using this example and definition, a provider contracting with a clearinghouse would be required to obtain a Business Associate Agreement. Further information regarding the requirements of the privacy regulation and the Businesss Associate Agreement is available on the Office for Civil Rights Web site.

  6. If a provider is contracted with a health plan, and the health plan contracts with a separate organization that uses Personal Health Information (PHI) on its behalf, does the provider need a Business Associate Agreement or is it only required by the health plan and its contract with the separate organization?

    Since there does not appear to be any direct relationship between the provider and the separate organization, there is no need for a Business Associate Agreement between the two entities. Further information regarding the requirements of the privacy regulation and the Business Associate Agreement is available on the Office for Civil Rights Web site.

  7. Under HIPAA, are recipients required to sign any paperwork, such as a Business Associate Agreement, before they pick up or remove prescription drugs from a pharmacy?

    No. A Business Associate Agreement is required when a provider or health plan contracts with a separate organization to perform a function using protected Personal Health Information (PHI) on behalf of the provider or plan (Code of Federal Regulations, Title 45, §160.103). In this example, the provider is not contracting with a separate organization to perform a function and a Business Associate Agreement is not necessary. The pharmacy is the provider, or covered entity, and the privacy regulation permits covered-entity use and disclosure of protected PHI, with certain limits and protections, for treatment, payment and healthcare operations' activities. Additional information regarding personal rights and personal representatives is available on the Office for Civil Rights Web site.

  8. Does a provider need a Business Associate Agreement with Medi-Cal/the FI?

    No. Under the HIPAA regulations, a provider (such as a health facility) and health plans (such as Medi-Cal) may use or disclose PHI (Protected Health Information) without patient authorization for treatment, payment and health care operations (45 Code of Federal Regulations, §164.502). Payment is broadly defined to mean activities undertaken by a health care provider or health plan to obtain or provide reimbursement for the provision of health care (45 Code of Federal Regulations, §164.501). HIPPA rules make it clear that a covered entity (such as a health facility) may disclose PHI to another covered entity (such as Medi-Cal) for the payment activities. Therefore, under HIPAA, covered entities may submit claims to the Medi-Cal program without PHI restrictions. The Business Associate Agreement is required when a provider or health plan contracts with a separate organization to perform a function using PHI on behalf of the provider or plan (45 Code of Federal Regulations, §160.103). For example, a Business Associate Agreement would be needed if an outside organization is contracted to perform billing for a provider.