How does the HIPAA Privacy Rule apply to professional liability insurance? Specifically, how can professional liability insurers continue to arrange for and maintain medical liability insurance for health care providers covered by the Rule?
The Privacy Rule permits a covered health care provider to disclose information for “health care operations” purposes, subject to certain requirements. Disclosures by a covered health care provider to a professional liability insurer or a similar entity for the purpose of obtaining or maintaining medical liability coverage or for the purpose of obtaining benefits from such insurance, including the reporting of adverse events, fall within “business management and general administrative activities” under the definition of “health care operations.” Therefore, a covered health care provider may disclose individually identifiable health information to a professional liability insurer to the same extent as the provider is able to disclose such information for other health care operations purposes.
See 45 CFR 164.502(a)(1)(ii) and the definition of “health care operations” at 45 CFR 164.501.