CommercialAdministrativeMedium impact
24-1094m Safeguard Patient Privacy When Sharing Medical Records
Health Net·CA·Prior Authorization
We identified it
Jun 20, 2026
Summary
Health Net requires providers to establish written policies for protecting patient health information (PHI) under HIPAA, with specific requirements for handling sensitive services like mental health, reproductive health, and substance use. Providers must respond to confidential communication requests within 7-14 days and direct all communications about sensitive services to the patient's designated contact information.
Action Required
Immediately: Establish or update written HIPAA policy for PHI protection and maintain in hard copy or electronic format. Implement process to respond to confidential communication requests within 7 days for electronic/phone requests or 14 days for mail requests. Update billing procedures to send all communications regarding sensitive services (mental health, reproductive health, substance use, etc.) to patient's designated address/contact information rather than primary subscriber. Train staff on not requiring protected individuals to obtain primary subscriber authorization for sensitive services claims.