The feds have sanctioned some HIPAA flexibility measures during the PHE. Even though you can share patient protected health information (PHI) under specific circumstances during the COVID-19 public health emergency (PHE), you always need a sound basis for guiding your disclosure actions and keeping you clear of enforcement proceedings. Let our experts help refresh your memory on what information PHI includes and what measures of HIPAA flexibility the feds have sanctioned during the PHE. Don’t Stop With the Medical Record There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect: Remember: PHI is demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of the identifiers, all of that information is regarded as protected. When the information is not linked, it is not PHI. “If a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then no, that would not be protected. Technically, it is no longer PHI,” says Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations, GEHA in Lee’s Summit, Missouri. “If there are unlisted identifiers, PHI still needs to be protected,” says Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit, Cancer Treatment Centers of America. “So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information needs to be protected.” Do Clarify PHE-Related Privacy Exceptions Make no mistake, HIPAA continues to apply to covered entities (CEs) and business associates (BAs) during the PHE, but the HHS Office for Civil Rights (OCR) has issued guidance allowing some exceptions. During the PHE, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR. Review this checklist of when CEs can share PHI without authorization, according to OCR guidance: Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient. Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include: Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death. Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety. Imminent threat: If state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats. Resource: For ongoing information regarding HIPAA and the PHE, including the OCR guidance, visit www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.