top of page

THINGS YOU NEED TO KNOW ABOUT HIPAA

Every provider gets those good ole Third Party Records Requests from Datavant, Ciox, Episource, and other entities.  

​

Datavant is requesting the complete medical record for a patient for a singular claim in question on behalf of Optum, or another insurance company.

​

HIPAA 45 CFR §164.502(b): Covered entities must "make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary."

​

If the record request is related to Treatment, Payment, or healthcare operations (TPO) a HIPAA compliant patient authorization likely is not required.  However, if not for TPO it must be accompanied by a HIPAA compliant patient authorization.  The authorization must include signed and dated by the patient or legal representative; clearly identify what information is being requested; state the purpose of disclosure; include the name of the recipient (Datavant/Optum); have an expiration date or event; and include the right to revoke in writing.

​

If the request is for audit purposes, authorization is not required, but the minimum necessary standard still applies. 

​

Entire medical record for singular claim is not HIPAA compliant.  Datavant would have to provide substantial justification as to why the entire medical record is required. 

​

If such a request is received it should be challenged especially knowing the request is too broad, not supported by appropriate documentation, and outside of the purpose of payment, treatment, or operations. 

​

Request justification for the specific reason the full record is needed to include the legal authority under which they’re requesting it. 

​

Push back with a response such as,

​

Under 45 CFR §164.502(b), we are required to release only the minimum necessary information to fulfill this request. Please specify the exact documentation needed to support the claim in question. We are unable to provide the entire medical record unless a valid HIPAA authorization is submitted, or the request meets a legally mandated exception.

 

​

​

A prospective HIPAA violation may exist if Datavant (on behalf of Optum) is requesting entire medical records for a single claim or HEDIS review without justification and in a way that violates HIPAA’s core principles.

​

It would violate the Minimum Necessary Standard.  Under 45 CFR §164.502(b), covered entities (like you) must limit disclosures to the “minimum necessary” to accomplish the intended purpose.

​

  • Requesting the entire medical record for one claim or one HEDIS measure without specific rationale is excessive.

  • This is especially true when the request includes mental health, substance use, or unrelated specialty records.

  • ​

Potential Violation: If you release the full chart without verifying the necessity, you could be liable for a HIPAA breach.

​

Insufficient Justification for Disclosure as HIPAA permits disclosures without patient authorization for treatment, payment, and healthcare operations (TPO).  The purpose must be explicitly clear. 

​

For example, a records request that you received was in such a manner:

​

  • Send entire chart for claim #XYZ”

or

  • Please send the entire medical record for review

​

These records requests absolutely does not meet compliance standards.  Prospective Violation exists if no clear tie to TPO is documented, or if there is no HIPAA-compliant authorization for non-TPO purposes, that’s a red flag.

​

It is necessary to verify Business Associate Agreement (BAA) are in place between all parties because if you release PHI without confirming proper agreements, you’re at risk for a violation.

​

Releasing psychotherapy notes or sensitive data requires explicit authorization under 42 CFR Part 2. 

​

If it does not look right, challenge the scope of the request:

​

Please specify the exact documents needed to support this claim or HEDIS measure. Under HIPAA’s minimum necessary standard (45 CFR §164.502(b)), we are unable to release the entire chart unless clearly required.

​

Ensure to request written clarification of the purpose of disclosure (TPO vs. non-TPO); which records are necessary; and whether a HIPAA authorization exists.

​

Confirm BAAs exist and don’t assume Datavant has the right to receive PHI just because they say they’re working for Optum.

​

Document everything, especially if you deny or limit the request, log your reasoning in case of audit.

Risk Adjustment requests are permissible use of PHI under health care operations, but the minimum necessary standard still applies. 

​

Even for risk adjustment, only the parts of the medical record that support submitted claims or documented diagnoses can be requested.  A blanket request for entire charts for a single diagnosis or encounter is NOT automatically HIPAA-compliant.

​

Risk adjustment is not a free pass to request an entire chart for single date/diagnosis.  Minimum necessary rule and HIPAA rules still apply. 

​

You have the right to

​

  1. Request the specific diagnoses or date ranges they are requesting documentation for

  2. Decline to send full records if the request is overbroad

  3. Redact unrelated information, particularly:

    • Psychotherapy notes

    • HIV status

    • Substance use disorder info (42 CFR Part 2)

    • Reproductive health notes (subject to state laws)

 

You can respond back to them if they send those lovely blanket requests with,

​

Thank you for your request. As required under HIPAA 45 CFR §164.502(b), we are obligated to disclose only the minimum necessary information for purposes such as risk adjustment. To ensure compliance, please clarify the specific diagnoses and date range in question so we may provide the relevant documentation. We are unable to release the entire medical record unless clearly justified under this provision.

​

Ensure to verify the legitimacy of the request (request a signed attestation of RA audit if needed); limit disclosure to dates of service and diagnoses tied to risk adjustment; track what you release for auditing; and redact sensitive info unless explicitly needed and allowed

Insurance companies love to play dirty pool. 

 

You need to realize and understand that your Contract Does NOT Override HIPAA.  Even if you are a participating provider with that insurance company your provider contract cannot force you to violate federal law, including HIPAA and HIPAA always takes precedence over contract language.

​

HIPAA (45 CFR §160.203) preempts any contrary provision of a state or private contract unless the law is more protective of privacy.

​

If they demand full records without proper justification, they are potentially asking you to commit a HIPAA violation.  Who do you think will be the one in trouble?  It won’t be the insurance company!

​

Minimum Necessary Standard Still Applies even for risk adjustment, HEDIS, or audit.  They must specifically define what they need; you are not required to release entire charts unless you are given specific reasons (e.g., multiple dates of service, multiple diagnoses under review), or a valid HIPAA authorization is included for full chart release.

​

You have every right to limit the information to the minimum necessary for the stated purpose.

​

Provider Contract Language Can Be Challenged.  If the contract says you must release entire records, here's how to push back.  Ask them to cite the exact contract clause they’re referencing and clarify that HIPAA still applies, and that you are,

​

            “Willing to comply with any contract terms that are not in conflict with federal law,

            including HIPAA’s minimum necessary rule.” 

 

Remind them that non-compliance with HIPAA exposes you to federal penalties, not them.

​

Threatening Language is not a May Be it is Intimidation.  This is a common tactic to push providers into over-disclosing. You are not alone in receiving these as UnitedHealthcare, Aetna, and others have sent similar letters through third parties like Datavant, CIOX, Optum.  The Office for Civil Rights (OCR) and CMS have previously stated that the minimum necessary standard applies, even for risk adjustment and audit purposes.  

​

Here is a response you can send to them in return,

​

We received your request for the entire medical record for [Patient Name/DOS]. While we understand this may be part of your risk adjustment or quality review process, please note that as a Covered Entity under HIPAA, we are obligated to comply with 45 CFR §164.502(b) and limit disclosures to the minimum necessary information required for the stated purpose.

​

Furthermore, while we strive to cooperate with our contractual obligations, no contract can require us to violate federal law. We are happy to provide all documentation relevant to the diagnoses or services under review. Please specify the exact dates of service and HCC codes or quality measures involved so we may comply appropriately.

​

We also request confirmation of any Business Associate Agreements (BAAs) in place between your organization and any subcontractors requesting PHI on your behalf, such as Datavant.

​

Insurance Companies Request Records Knowing It's a Potential HIPAA Violation!!!!

​

They Bet on Provider Compliance Through Intimidation.  Insurers know that most providers (especially small practices) don’t have legal teams; many don’t fully understand HIPAA's “minimum necessary” rule; and practices are scared of being kicked off panels or having claims denied. 

​

So, they send threatening letters and overly broad requests hoping you’ll comply without pushing back.  This is a calculated risk not ignorance. They exploit confusion to access more PHI than legally allowed, often for data mining or risk adjustment payment maximization.

​

They Profit from Over-Collection.  For risk adjustment and HEDIS the more diagnoses they can validate or "find," the more money they get from CMS or state Medicaid and even old or unrelated conditions (like a past stroke or depression) can increase risk scores, inflating payments.  More records = more coding opportunities = more money!

​

They Offload Risk and Responsibility.  By using third parties (e.g., Datavant, CIOX, Change Healthcare) they don’t touch the PHI directly; they avoid HIPAA liability by making it your legal problem; and if there’s a breach or over-disclosure, it’s the provider who gets audited or fined. 

​

They write vague letters like, “Per our contract, you must release all records...”

​

But they don’t mention HIPAA’s minimum necessary rule, or your right to request clarification.

​

There’s No Real Oversight (Yet).  Regulatory bodies like OCR, CMS, and state health departments are understaffed; slow to act; and largely complaint-driven.

​

So, insurers know no one is watching unless someone files a formal complaint and they won’t get penalized for asking for too much.

​

What You Can Do? 

 

Push back demanding specific dates of service, diagnoses, and justification.  Report the behavior to OCR (Office for Civil Rights) – https://www.hhs.gov/ocr and/or CMS – especially if this involves Medicare Advantage risk adjustment.  Document everything keeping a paper trail of all communications.  Refuse to violate HIPAA even if it means they escalate, you have federal law on your side.

crystal640_l01.png
crystal640_l01 (1).png

423 N High St Belleville IL 62220

Primary Care Fax Number:

877-295-7244

BUSINESS HOURS

Monday through Thursday
7:30 am to 12 pm, 1 pm to 4 pm
Closed between 12-1 pm for lunch
Fridays: Closed

  • Facebook

Behavioral Health

Behavioral Health Fax Number:

618-416-7734

bottom of page