General Surgery Coding Alert

HIPAA:

Protect Patient Information Beyond the Chart

Understand compliance relief during PHE.

Even though you can share patient protected health information (PHI) under specific circumstances during the COVID-19 public health emergency (PHE), you always need a sound basis for guiding your disclosure actions and keeping you clear of enforcement proceedings.

Help has arrived: Our experts are here to give your general surgery practice that “sound basis” by reminding you what information PHI includes, and what HIPAA flexibility the feds have sanctioned during the PHE.

Look Beyond the Medical Record

There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect:

  • Names, such as patient, relatives, household members, or employers
  • Geographic information such as address or ZIP code
  • Dates/numbers
    • Such as birthday, admission or discharge date, death date
    • Age (except range ok)
    • Social Security number
    • Any other unique identifying number
  • Contact information
    • Phone number
    • Fax number
    • Email address
  • Medical record
  • Accounts
  • License/certificate
  • Vehicle info, such as tag, VIN
  • Devices, such as computer serial number
  • Web address (URL)
  • IP address
  • Biometric identifiers (finger, voice, facial)
  • Photo of frontal face or comparable

Key: PHI is demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of the identifiers, all of that information is regarded as protected. When the information is not linked, it is not PHI.

“If a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then no, that would not be protected. Technically, it is no longer PHI,” says Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations, GEHA in Lee’s Summit, Missouri.

Tip: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit, Cancer Treatment Centers of America.

Clarify PHE-Related Privacy Exceptions

Make no mistake, HIPAA continues to apply to covered entities (CEs) and business associates (BAs) during the PHE, but the HHS Office for Civil Rights (OCR) has issued guidance allowing some exceptions.

During the PHE, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR.

Review this checklist of when CEs can share PHI without authorization, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient.

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

  • Public health authorities like the Centers for Disease Control and Prevention (CDC) or state or local health departments to prevent or manage disease, injury, or disability.
  • Foreign governments at the direction of a public health authority, working with the authority.
  • People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations.

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death. Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety.

Imminent threat: If state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats.

Resource: For ongoing information regarding HIPAA and the PHE, including the OCR guidance, visit www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.