The Standards for Privacy of Individually Identifiable Health information (45 CFR parts 160 and 164), published by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (PL 104-191), state that entities subject to the regulation (including MCOs) “must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)). This language reflects both the need to accommodate the range of MCO payment and operational activities and the lack of consensus and models on which to base more specific language and the absence of policymaker consensus as to how to resolve the tradeoff between meeting this need and the patient need for confidentiality. By itself, therefore, the new requirement is unlikely to resolve the continuing tension between providers and managed care firms regarding how much information to make available to MCOs or other third parties.
"MHPrivacy.pdf" (pdf, 768.25Kb)
"appen-b.pdf" (pdf, 224.4Kb)