top of page

Healthcare Effectiveness Data and Information Set (HEDIS) - HIPAA

WHAT IS A HEDIS RECORD REQUEST?

HEDIS is a quality measurement tool used by health plans to assess the performance of care and services provided to their members

​

HEDIS data is collected retrospectively, usually through:

  • Claims data

  • Lab results

  • Chart review (this is where your medical records come in)

​

Record requests are common, but they are also widely misunderstood and often abused by insurers or their third-party vendors.

 

Here's what you're legally required to provide, what you're not, and how to protect yourself from HIPAA violations.

HIPAA and HEDIS Requests

 

Permissible Without Patient Authorization

 

  • HEDIS reviews fall under “health care operations” under HIPAA (45 CFR §164.501).

  • So, you can disclose PHI to the insurer or its third-party agents without a signed patient authorization.

​​

BUT...

 

You Must Follow the Minimum Necessary Standard (45 CFR §164.502(b))

 

Just because it’s a valid request doesn’t mean they’re entitled to the entire chart.

 

You're only required to provide the information necessary to support the specific HEDIS measure(s) they are evaluating; nothing more.

 

What You Are NOT Required to Provide

 

  • Entire medical record

    • Violates minimum necessary rule

  • Psychotherapy notes

    • Protected under HIPAA, need separate authorization

  • Substance use notes

    • Protected under 42 CFR Part 2

  • HIV/reproductive health notes

    • May be protected by state laws

  • Unrelated diagnoses

    • Only required to submit data supporting the specific HEDIS measure under review

 

What YOU Need to Do

​

  1. Ask for specifics:

    • “What diagnosis, CPT/ICD code, and date of service is this request for?”

    • “What HEDIS or risk adjustment measure are you auditing?”

  2. Limit disclosures:

    • Only provide documentation relevant to that diagnosis or service

    • Redact the rest

  3. Log everything:

    • Keep a copy of what you disclosed

    • Note the requestor, date, and purpose in a HIPAA disclosure log

 

Example Response to Overbroad HEDIS Request

 

Subject: HEDIS Record Request – HIPAA Compliance and Minimum Necessary Standard

 

Dear [Vendor/Health Plan Name],

 

We received your request for medical records related to HEDIS data abstraction. As a HIPAA Covered Entity, we are committed to supporting quality reporting efforts while remaining compliant with HIPAA’s Minimum Necessary Standard (45 CFR §164.502(b)).

 

Please specify the HEDIS measure(s) for which documentation is requested, and we will provide only the relevant clinical data necessary to fulfill that request. We cannot release entire medical records or sensitive data unrelated to the measures being audited.

 

Utilize Best Practices

 

  • Redact irrelevant portions of the note (especially MSE, ROS, unrelated diagnoses)

  • Do not give full chart access unless it is fully justified and authorized

  • Log the disclosure

  • Ensure you have confirmation that any third-party vendor (e.g., Advantmed, Datavant) has a Business Associate Agreement (BAA) with the health plan

crystal640_l01.png
crystal640_l01 (1).png

423 N High St Belleville IL 62220

Primary Care Fax Number:

877-295-7244

BUSINESS HOURS

  • Facebook

Behavioral Health

Monday through Thursday
7:30 am to 12 pm, 1 pm to 4 pm
Closed between 12-1 pm for lunch
Fridays: Closed

Behavioral Health Fax Number:

618-416-7734

bottom of page