Privacy Versus Release of Information Traps

CBCS orientation: the exam has 100 scored items plus 25 pretest items, a 3 hour testing window, and a scaled passing score of 390. Current scored domains are Revenue Cycle and Regulatory Compliance with 15 items, Insurance Eligibility and Other Payer Requirements with 20 items, Coding and Coding Guidelines with 32 items, and Billing and Reimbursement with 33 items. As of 2024-09-24, coding manuals are not permitted or required for CBCS; exam questions include the coding information needed. Privacy and release of information questions test controlled disclosure, not silence.

Key Concepts

Privacy is the duty to protect individually identifiable health information and use or disclose it only as permitted or required. Release of information is the process for responding to requests for records or data. Billing staff handle protected health information in claims, authorizations, appeals, patient statements, phone calls, portals, and collection workflows. The exam trap is choosing an extreme: never release anything for payment, or release everything because payment is involved. The better approach is to identify the requester, purpose, authority, information requested, method, and documentation.

For routine payment, the provider may disclose information needed to submit claims and obtain payment, such as diagnosis, procedure, date of service, provider identifiers, charges, authorization numbers, and payer-required attachments. Minimum necessary reasoning still matters when applicable. If a payer requests the operative note for a surgical denial, sending the relevant operative note and supporting encounter documentation through an approved portal or secure channel may be appropriate.

Sending years of unrelated records because they are easy to attach is not. If an authorization vendor requests clinical notes for a specific MRI, send the records relevant to that request according to policy.

Patient access and third-party requests require different analysis. A patient requesting their own record follows the patient access workflow. A spouse, adult child, employer, attorney, or insurance agent may need patient authorization or another valid authority before information is released. A parent or personal representative may have authority in many cases, but exceptions can apply; the exam should provide the needed facts, and the safe answer is to follow organizational ROI policy.

Workflow and Documentation

If an employer calls asking for a diagnosis to update a work schedule, do not disclose protected information without verified authority. If a neighbor asks for a bill or test result, verify permission before disclosure.

Legal-looking requests are another trap. A subpoena, court order, warrant, attorney letter, and informal request are not the same. Billing staff should route legal requests to the designated privacy, health information management, or legal process instead of releasing records casually. Phone calls require identity verification. If someone claims to be from a payer, use approved verification procedures before discussing account details.

Patient statements and collection letters also contain protected information, so address accuracy, communication preferences, and discreet messaging matter. Do not leave detailed voicemail messages unless policy permits.

Appeals combine privacy and reimbursement. A medical necessity denial may require records, but only relevant records should be released through approved channels. The account should document who requested the information, what was sent, why it was sent, when it was sent, how it was sent, and under what authority. Privacy rules do not prevent legitimate payment operations, and payment operations do not erase privacy duties. On the exam, choose answers that verify identity, confirm permission or permitted purpose, apply minimum necessary when appropriate, use secure transmission, and document disclosure.

Exam Application

Avoid answers that discuss patient information in public areas, use personal email, send unrelated records, or refuse all payer documentation requests. Privacy also affects everyday billing communication. A patient statement mailed to an outdated address can disclose information to the wrong person. A voicemail that names a diagnosis or procedure may reveal more than policy allows. A front-desk conversation about a balance can be overheard if staff speak loudly in a public area. A collections referral should include only information permitted by policy and law for that purpose.

CBCS questions may not ask for statute names; they usually ask which behavior protects information while allowing legitimate billing work to continue. If the answer choice includes both verification and documentation, it is often stronger than an answer that only releases or refuses information. The process matters as much as the disclosure decision.

High-Yield Checkpoints

• Privacy protects health information, while release of information controls disclosure to authorized persons or entities.
• Payment and operations may permit disclosures, but minimum necessary and policy still matter.
• A patient authorization, subpoena, court order, payer request, patient access request, and claim attachment are different workflows.
• Identify requester, information requested, purpose, authority, and documentation.
• Do not withhold all payment information or release unrelated records for convenience.