Wiki Redacting primary eob's

Create Wiki
B

bwallen

Guest
Messages
4
Best answers
0
Is there a specific rule that indicates the information of patient's not associated with that claim needs to be redacted from that primary EOB? With all the confidentiality agreements and contracts signed between carriers and practices, it seems we should be covered as there is no date of birth, addresses, phone #'s or diagnoses listed. I feel like a lot of what we do in regards to HIPAA was born out of all the uncertainty with the introduction of HIPAA and I am working to "debunk the myths" that came from that.

I have looked and can't find anything specific on this topic.

Any thoughts or references? Thanks in advance for any input.
 
I'd recommend reading through the information on the HHS web site that I think would be a helpful guide for you on these types of questions:

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/

As a disclaimer, I'm not an attorney and my comments here shouldn't be taken as legal advice.

I'm not aware of any specific rules regarding redactions from EOBs, but there are a number of provisions that do apply to all types of disclosures in general:

Even though the date of birth or other information you indicated is not on an EOB, the law does cover "all individually identifiable health information" which is named to include other information that does appear on EOBs such as patient names, plan beneficiary numbers, account numbers, and dates of service. Per HHS, the law requires a "covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request." The law provides for incidental disclosures and "does not require that every risk of an incidental use or disclosure of protected health information be eliminated...as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule."

As I read this, in the context of disclosures for healthcare operations, you would not be liable for incidental disclosures to another covered entity (such as an inadvertent failure to remove an element of unnecessary information from an EOB sent to an insurance company) as long as you are following an established policy and reasonable procedure for protecting the information and limiting the disclosures to what is necessary.

So to the original question, I believe that it is a prudent practice to redact unnecessary identifiable information from EOBs. If by chance EOBs were to mistakenly fall into the wrong hands, I believe the practice could potentially be more likely to be held liable for a breach for not taking the required reasonable safeguards if it was not following a policy to limit the information disclosed by routinely removing the unnecessary information from the EOBs.
 
Last edited:
Helpful

Thank you Thomas. That information and reference is helpful and, although still gray on this particular issue, does fall into line with what I was thinking. Thank you for the link.
 
You must log in or register to reply here.
Top