Q and A providing guidance on the status of QIOs under HIPAA

When Can Covered Entities Disclose Information on Medicare Beneficiaries to QIOs?

Medicare Quality Improvement Organizations (QIOs) perform certain review and other functions for the Centers for Medicare & Medicaid Services (CMS) under contracts with CMS. These functions are required under Part B of Title XI of the Social Security Act. Part B of Title XI also requires that covered entities disclose information on Medicare beneficiaries to QIOs so that QIOs can perform the requirements under their Medicare contracts. Covered entities that conduct certain electronic transactions and are subject to the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally cannot disclose protected health information on Medicare beneficiaries or other patients without permission of the patients, unless the rule otherwise allows disclosure. If a covered entity's disclosure is required by law, the rule allows disclosure without the patient's permission under 45 CFR 164.512(a). Therefore, when a covered entity discloses to a QIO information on Medicare beneficiaries that the QIO needs in order to perform under its contract with CMS, patient permission is not required.

When Can Covered Entities Disclose Information on Non-Medicare Patients to QIOs?

Covered entities may also disclose protected health information about non-Medicare patients without their permission when the information involves the QIO's quality-related activities under its contract. Generally, when QIOs receive this information, they are functioning as health oversight agencies under 164.512(d).

The HIPAA Privacy Rule defines a health oversight agency to include a Federal or other governmental agency or authority that is authorized by law to oversee the health care system (whether public or private), or government programs in which health information is necessary to determine eligibility or compliance with program standards (45 CFR 164.501). Oversight agencies also include a person or entity acting under a contract with the public agency. Part B of Title XI requires Medicare QIOs, as CMS' contractors, to conduct activities necessary for appropriate oversight of the health care system. Specifically, Medicare QIOs are health oversight agencies to the extent that they are acting under contract with Medicare to oversee the health care system in general or compliance with quality standards under Medicare. This includes collecting and reviewing quality performance measures from hospitals regarding Medicare and non-Medicare patients, such as reports on surgical infection prevention, acute myocardial infarction and influenza and pneumococcal immunization. When a QIO is acting as a health oversight agency, disclosures to them for health care oversight purposes are permissible without patient permission.

Are Covered Entities Protected When They Make Disclosures to QIOs?

The Social Security Act provides certain protections to those who disclose information to the QIOs, as described in 1157 of the Act. Under 1157, no person providing information to a QIO will be held, by reason of having provided such information, to have violated any criminal law or to be civilly liable under any State or Federal law, unless the information provided is unrelated to the performance of the contract of the QIO or the information is false and the individual knew or had reason to believe that the information was false.