top of page
Search

Attributed Patients Aren’t Automatically Your Patients: A Compliance Reality Check for Providers

  • Writer: Jessica Zeff
    Jessica Zeff
  • Feb 27
  • 3 min read
Attributed patients HIPAA compliance illustration showing a step-by-step staircase labeled attribution, outreach, visit, and consent, leading to secured medical records with a lock and shield, representing that clinical record access is permitted only after proper patient engagement and authorization.

I still remember the first time I saw an attribution list land in my inbox. It was a color-coded Excel sheet with nearly 2,000 names and more columns than I could count. A value-based care program had just launched, and the health plan wanted our team to begin outreach immediately.


Our population health lead, eager to show results, walked into my office and said, “We’re having our outreach team pull HIE records so they can tailor the first call. That’s okay, right?”


I paused. Because no—it wasn’t okay. Not yet. And in that moment, I realized how deeply misunderstood “attribution” still was.


That memory still pops up every time I’m asked a question that starts with: “If the patient is attributed to us…”


Attribution Is Not a Clinical Relationship

In the world of value-based care, health plans routinely assign or “attribute” patients to providers or entities based on claims history. It’s a tool for performance tracking, payment, and sometimes risk adjustment. But from a HIPAA perspective, attribution is not permission.


Here’s the compliance truth:


Attribution is an administrative label. It is not evidence of an existing treatment relationship.


Until a patient has:

  • Had a documented encounter, or

  • Signed a consent-to-treat or enrollment form,


…you may not have the authority to access that individual’s full clinical history. Especially not via HIE queries or EHR chart reviews outside of what the plan has already shared.


What You Can Access—and What You Can’t


Let’s break it down:


Claims data – Typically OK. Health plans can send historical data, including encounter summaries, risk scores, and open care gaps. They’re sharing it under healthcare operations or payment activities.


Clinical records – Not usually OK—unless you already have an established care relationship or specific patient authorization.


That includes:


  • Pulling HIE data to “prepare” for a call

  • Reviewing diagnoses beyond immediate care coordination

  • Accessing behavioral health or HIV data without consent


In short: just because a patient is attributed doesn’t mean your staff can open their chart.


Where the Breakdown Happens: Non-Clinical HIE Access

This is the scenario I see most often—and it’s risky:

  1. The patient is attributed, but hasn’t had contact yet.

  2. The care team assigns outreach to a coordinator.

  3. The outreach coordinator logs into the HIE to “get a sense of the patient’s history.”


The problem? There’s no treatment relationship yet. And the person accessing the record is non-clinical.


HIPAA permits access under treatment, payment, or operations—but only when the purpose is legitimate and role-appropriate. Pre-engagement outreach does not meet that bar. And "I needed to script the call" isn't enough to justify full record review.


What HIPAA Allows—and What It Doesn’t


HIPAA may allow:

  • Outreach using roster data from the plan

  • Attempting to schedule care or confirm the assigned relationship

  • Sharing general care coordination information once a relationship is formed


HIPAA does not allow:

  • Reviewing a patient’s clinical history to prep for an outreach call

  • Letting staff see mental health notes, labs, or imaging before the patient is onboarded

  • Using role-based access that isn’t minimum necessary


We often think of HIPAA violations as breaches. But many of these missteps don’t trigger breach notifications—they show up in audits, OCR reviews, and delegation oversight.


Compliance Recommendations for Attributed Patient Outreach

Here’s how I advise clients to handle this:

  • Use only plan-provided data for pre-engagement communication

  • Restrict HIE or EHR access to clinical staff—and only when treatment has begun

  • Require patient engagement (visit, signed consent, enrollment) before expanding access

  • Tie role-based access controls to engagement status within your EHR or HIE

  • Document everything—especially why access was appropriate at that stage

Think of this like a staircase. Access increases step by step, not all at once.


The Question You’ll Be Asked

If you end up in front of a health plan auditor, HIE compliance board, or OCR investigator, this is the first question they’ll ask:


“What authority did you have to access this patient’s record at that time?”


If your answer is “they were on our attribution list,” that usually won’t cut it.


Being proactive in outreach is great. But compliance must guide your engagement strategy—otherwise, well-intentioned access becomes a liability.

 

Comments

bottom of page