Medicare QIOs and HIPAA Compliance
When Can Covered Entities Disclose Information on Medicare Beneficiaries to QIOs?
The Virgin Islands Medical Institute (VIMI) and other Medicare Quality Improvement Organizations (QIOs) perform certain review and other functions for the Centers for Medicare & Medicaid Services (CMS) under contracts with CMS. These functions are required under Part B of Title XI of the Social Security Act. Part B of Title XI also requires that covered entities disclose information on Medicare beneficiaries to QIOs so that QIOs can perform the requirements under their Medicare contracts. Covered entities that conduct certain electronic transactions and are subject to the Privacy Rule of Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally cannot disclose protected health information on Medicare beneficiaries or other patients without permission of the patients, unless the rule otherwise allows disclosure. If a covered entity’s disclosure is required by law, the rule allows disclosure without the patient’s permission under 45 CFR §164.512(a). Therefore, when a covered entity discloses to a QIO information on Medicare beneficiaries that the QIO needs in order to perform under its contract with CMS, patient permission is not required.
When Can Covered Entities Disclose Information on Non-Medicare Patients to QIOs?
Covered entities may also disclose protected health information about non-Medicare patients without their permission when the information involved the QIO’s quality-related activities under its contract. Generally, when QIOs receive this information, they are functioning as health oversight agencies under §164.512(d). The HIPAA Privacy Rule defines a health oversight agency to include a federal or other governmental agency or authority that is authorized by law to oversee the health care system (whether public or private), or government programs in which health information is necessary to determine eligibility or compliance with program standards (45 CFR §164.501). Oversight agencies also include a person or entity acting under a contract with the public agency. Part B of Title XI requires Medicare QIOs, as CMS’ contractors, to conduct activities necessary for appropriate oversight of the health care system. Specifically, QIOs are health oversight agencies to the extent that they are acting under contract with Medicare to oversee the health care system in general or compliance with quality standards under Medicare. This includes collecting and reviewing quality performance measures from hospitals regarding Medicare and non-Medicare patients, such as reports on surgical infection prevention, acute myocardial infarction and influenza or pneumococcal immunization. When a QIO is acting as a health oversight agency, disclosures to them for health care oversight purposes are permissible without patient permission.
Are Covered Entities Protected When They Make Disclosures to QIOs?
The Social Security Act provides certain protections to those who disclose information to the QIOs, as described in §1157 of the Act. Under §1157, no person providing information to a QIO will be held, by reason of having provided such information, to have violated any criminal law or to be civilly liable under any state or federal law, unless the information provided is unrelated to the performance of the contract of the QIO or the information is false and the individual knew or had reason to believe that the information was false. Information provided to VIMI in its role as a QIO cannot be disclosed to any third party by VIMI except as provided in 42 CFR Section 480.
CMS Clarification on QIOs and Data Exchange
On March 20, 2003, QIOs received official clarification from CMS about the implications of HIPAA regulations on data exchange between QIOs and health care organizations. With respect to protected health information, the CMS statement clarifies that health care provider organizations do not need business associate agreements with QIOs and that prior authorization is not required for the release of protected health information to QIOs.
QIOs do not fall into the HIPAA “business associate” category for providers or practitioners because they are not performing functions for the provider or practitioner. Rather, QIOs have need for access to protected health information as QIOs carry out the work directed by Sections 1153 and 1154 of the Social Security Act.