ED Coding and Reimbursement Alert

When the PHE ends, will your practice be ready?

The COVID-19 public health emergency (PHE) ends this month — and coders need to be concerned with all the rules that will kick back in. HIPAA compliance is at the top of that list.

The Biden administration ends the PHE on May 11 (At press time, the date still hadn’t arrived). On May 12, many — if not all — of the current HIPAA waivers will disappear. You’ll want to refresh your memory of the HIPAA regulations as they apply to your patients before May 11.

Help’s here: Take a look at this quick rundown on three HIPAA elements you might need to review. We’ve also included three significant nuances for each element to help you navigate the gray areas of this significant patient right.

1. PHI Knowledge a Must

Protected health information, or PHI, includes demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of 18 different demographic identifiers, the information is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers. (For the full list, go to: www. hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/ coveredentities/De-identification/hhs_deid_guidance.pdf.)

The key to understanding PHI, then, is knowing when an identifier links a specific individual with specific health information. If it does, then the information is protected. But “if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then, technically, it is no longer PHI,” explains Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations at GEHA in Lee’s Summit, Missouri.

Nuance 1: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person, and thus the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit at Cancer Treatment Centers of America.

2. Release Patients’ PHI Properly

For the release of “protected health information for treatment, payment, and healthcare operations”, the “Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent” according to the HHS (Source: www. hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html).

That consent must be accompanied by verification of the patient’s identity. If the patient cannot give consent in person, then you must obtain it through verifying such patient information as the patient’s date of birth or the last four digits of the patient’s Social Security number — or via a phone call or a secure email through a patient portal.

Nuance 2: Consent only applies to PHI release for purposes of treatment, payment, and healthcare operations. For any other kind of release, you will need an authorization, which the Privacy Rule defines as “a detailed document that gives covered entities permission to use protected health information … to disclose protected health information to a third party specified by the individual.” The document must specify and include, where appropriate, “a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed,” according to the Privacy Rule.

3. Remember Patient Access Rules for PHI

According to the 2019 Office of Civil Rights (OCR) Right of Access Initiative, you must allow individuals to request access to their own records in a designated record set (DRS) that includes laboratory results. For example, if your patient asks for a copy of their records, you must give them a copy of whatever is in their DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Denial of such access could constitute a HIPAA violation.

Patients are not required to fill out an authorization for Release of Records when requesting their own healthcare information, and you must turn the information around within 30 days. You are permitted to charge a reasonable fee, based on your practice’s cost, for the service.

Nuance 3: Patients do not have the right to access their entire medical record. For example, covered entities (CEs) do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content.