Hint: Proper PHI scrubbing enables elimination of a record’s protected status. From patient names to medical records, you may be quite familiar with how to protect these types of protected health information (PHI). However, there are over a dozen types of PHI, and the rules surrounding how to keep them all safe can be confusing. Your ability to protect patients’ PHI is integral to avoiding a HIPAA breach, so it’s important to familiarize yourself with three key truths about PHI and three myths.
Truth 1: PHI Goes Far Beyond the Medical Record There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected — even URLs and license plate numbers. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect: Essentially, anything that can identify the patient to other people is considered PHI. For instance, if a patient’s name is John Smith but everyone in town calls him Smitty, then the name “Smitty” would count as part of the patient’s PHI. Truth 2: De-Identifying Medical Records Removes PHI Even though almost everything related to a patient’s identity is considered PHI, there are ways to remove that data from a record, so it no longer qualifies as protected health information. In fact, if a record is completely de-identified in such a manner that it cannot possibly be connected to an individual, then it would no longer be protected under HIPAA. Technically, at that point, it is no longer PHI. If you aren’t sure whether a patient’s PHI has been appropriately scrubbed enough to remove it from a record, then it’s important to consult a healthcare attorney to confirm that you’ve taken care of it. Truth 3: Healthcare Providers Can Share PHI for Treatment Purposes Your anesthesiologist can share protected health information about a patient with another provider in relation to that patient’s care. In addition, you do not need to have a business associate agreement (BAA) in place before you share PHI for the purpose of treating a patient. Under the HIPAA Privacy Rule, clinical care information can be readily exchanged between providers. This means your anesthesiologist can talk to another provider about a patient’s lab results or co-morbidities for the purposes of a patient’s care without worrying they have breached HIPAA. Remember, however, that when your anesthesiologist shares that PHI with other providers, they must do so in a HIPAA-compliant way, such as through encrypted email. Myth 1: Your Practice Owns the PHI, So Patients Can’t See It Many healthcare providers believe the patient’s PHI belongs solely to the practice, and that even the patient isn’t allowed to see it, but that’s a myth. You must allow individuals to request access to their personal records — this is a requirement under the HIPAA law. In addition, patients aren’t required to fill out an Authorization for Release of Records when requesting their own healthcare information. If you deny or withhold a patient’s records, you could face steep fines and penalties under the HIPAA Right of Access provision. Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal, or administrative proceedings. Myth 2: HIPAA Prohibits PHI Disclosures, Even When Danger Is on the Line In situations when the health or safety of others is in danger, your practice is permitted to disclose PHI to people reasonably able to prevent or lessen the threat, including law enforcement authorities. According to the HHS Office for Civil Rights (OCR), HIPAA allows disclosures of health information to help with public health and safety issues to: Myth 3: State Laws Don’t Trump PHI Disclosure Rules Although some practices believe they can’t disclose PHI even in instances when state law requires them to do so, that’s a myth. In fact, the HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound. HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake your practice should avoid making. Torrey Kim, Contributing Writer, Raleigh, N.C.