HIPAA laws entitle patients to access to their medical records (with limited exemptions), and insurers unable to document adherence to healthcare laws could conceivably reverse a denial decision to avoid hassle.
Insurers are not required to designate a "HIPAA Compliance Officer," nor are they obligated to provide the names and credentials of everyone involved in a coverage decision.
On 11 December 2015, a Facebook user published the above-reproduced image advising:
So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.
OK, here is what you do:
- Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)
- Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.
- They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!
- Any refusal [to comply with such a request for documentation] should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.
The user indicated that the image was back by “popular demand,” but it didn’t begin appearing in our inbox until December 2015. At that time, its spread on Facebook, and the ease with which it promised patients might navigate universally unpleasant medical insurance company morasses, led many to question whether its claims were accurate.
The image, which appeared with a photograph of a medical professional in scrubs to imply authority on the matter, appeared to convey a simple strategy not exclusive to dealings with insurance companies. By simply overwhelming your adversary with onerous or difficult to attain requests, you might encourage their compliance on a separate, smaller request. The tactic is common and often invoked to beat bureaucratic entities at their own game, often with mixed results.
While the meme appears concise, it carries a number of specific legal, medical, and insurance-related claims. It began by referencing “cost saving” denials made by insurance companies irrespective of medical necessity; an example of such a practice was rescission, since banned under the provisions of the Patient Protection and Affordable Care Act of 2012, most commonly known as “Obamacare.”
In its first point, the meme directs patients to call their insurance companies (department or division unspecified) and request to speak with the “HIPAA Compliance/Privacy Officer,” a position it asserts is required by federal law of all insurance companies, presumably under the Health Insurance Portability and Accountability Act of 1996, or HIPAA. However, while it’s true that insurers are required to have someone on hand who can explain HIPAA-related issues to customers, they aren’t required to dedicate people solely or specifically to that task, nor identify them as “”HIPAA Compliance/Privacy Officers.”
Once a patient makes contact with an insurance company’s “HIPAA compliance officer,” step two claims that that person is obligated to supply the “NAMES as well as CREDENTIALS of every person accessing your record” in order to have reached the initial decision of denial.
Again, it’s true that HIPAA regulations mandate that patients be able to obtain information about who has accessed their medical records, those regulations don’t require insurers to provide the credentials of every such person.
Step three of the meme assumes that steps one and two can be achieved without question. It holds that under the conditions described, health insurers will almost always opt to reverse the decision rather than provide information to which the patient is entitled under federal law. Whether such an entitlement existed is debatable (and likely variable) and whether the insurance company would indeed choose a path of ostensible least resistance is again impossible to predict. The third section further claims denials of coverage were invariably made by “low paid HS graduates,” not medical doctors of a relevant specialty.
This portion appeared to suggest that insurance companies are bound by law to base decisions to deny coverage of services or medications on the decision of not just a doctor, but a doctor that is board certified in the specialty under which that treatment fell. We were unable to substantiate that assertion. In the large number of provisions attached to both HIPAA and Obamacare, none appeared to mandate that denial of coverage decisions be based on a doctor’s review. Similarly, we found no evidence that should such a convention be widely observed, documenting it would be difficult: if the law required physician supervision in compliance with HIPAA, insurance companies more than likely provided for that in the structure under which they issued coverage denials.
Ultimately, information on how such decisions were reached didn’t appear to be widely available (the image tacked on an assertion that “they” don’t “want you to know” the process), but the basic underlying assertion didn’t seem to be supported by existing laws. As such, the opacity of the process may be less deliberate obfuscation, and more a simple absence of related legal structure — if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy. Consistent across the board in all healthcare law was a mandatory stipulation all denials must be issued to patients in writing; no language specified such denial decisions must be reached by a doctor or specialist.
Finally, in step four the meme instructs patients to report any refusal (presumably with respect to the requested information) to the Office of Civil Rights (OCR) as a HIPAA violation. According to the U.S. Department of Health and Human Services (HHR), that is correct — suspected HIPAA violations can be reported by anyone to that agency. However, whether the documentation listed constituted a HIPAA violation remained unclear; doing so would perhaps result in outside review of a patient’s appeal, but not likely in a timely fashion.
Armed with a freshly issued prescription coverage denial from our own health insurer, we contacted them on 15 December 2015 to see if following the steps in the meme worked. The customer service agent with whom we spoke repeatedly stated she was unaware of any such entity within the company titled “HIPAA Compliance [or] Privacy Officer.” We asked whether there was a broader department with whom we could lodge such a request; she indicated that our only recourse involved officially appealing the decision. When we asked whether we could obtain a list of names and credentials for the individuals on the panel responsible for the decision, she indicated that fulfilling such a request was not possible, adding that the panel was made up of “medical professionals and pharmacists familiar with the relevant treatment.”
Unlike most partially correct advice memes, the shakeout of the “medical hack” meme wasn’t necessarily of limited value. Anyone who has navigated the complex intersection of HIPAA, Obamacare, insurance companies, and authorizations is likely familiar with how truly arbitrary such decisions and reversals often can seem. Utilizing the advice as presented in the meme is unlikely to worsen a patient’s experience after they’ve been denied a test or treatment, but the cumulative presented advice was no guarantee of success in securing a successful appeal of denial. The largest risk appeared to be wasting time on the phone attempting to elicit such a decision, but similarly, it wouldn’t hurt to try before exploring other options. Given all available information, however, insurance companies routinely made every attempt to follow the letter of the law (if not its spirit) and remained largely compliant; hoping for a chink in that armor could well be a long shot.