Requests for health data by insurer raise questions

In a story reported by the Hartford Courant, a series of requests for health records sent to Connecticut doctors by Ingenix have garnered attention both for the nature of the requests and the manner in which they were received. It seems the health analytics firm — a subsidiary of health insurer UnitedHealthcare — sent medical record requests by fax to doctors, as part of an ongoing program to review data in medical charts associated with Medicare claims. On its face, this is a valid use of personal health information, at least under HIPAA, but a representative for a physicians’ organization in the state suggests that doctors do not ordinarily receive such requests by fax or respond in kind to an unknown requester. For its part, Ingenix says when it surveyed doctors, most indicated they preferred to be contacted by fax, so that’s the channel the company used.

Despite the use of relatively old-school technology, this situation raises issues similar to those likely to be encountered in the coming era of electronic (and automated) health information exchange, where systems are configured to respond with medical records as long as the requester can be authenticated and the stated purpose for the request is valid. For instance, the interface specifications and legal agreements established for the Nationwide Health Information Network (NHIN) obligate a participating organization that receives an authenticated request for records to respond if the purpose in the request is “treatment.” It’s pretty easy to imagine a major health insurer like UnitedHealthcare would someday be a participating entity in the NHIN, and the automation of responses to requests such as this — while they would certainly be logged and made part of the accounting of disclosures required under HIPAA — might go unnoticed by individual practitioners and therefore be less likely to attract the attention of anyone wanting to validate that the record exchanges were actually appropriate.

Some would argue that Connecticut is experiencing a period of heightened sensitivity to health data disclosures, following the delayed notification of Connecticut residents who were affected by Health Net’s breach of personal information and subsequent legal action taken by the state attorney general. The sincere hope in this case is that Ingenix was not misusing the trust in it (or its corporate parent) to solicit health data under false pretenses.