General Surgery Coding Alert

Waivers end with PHE.

With the end of the COVID-19 public health emergency (PHE) this month, your surgery practice is facing the end of HIPAA compliance waivers that have been in effect since 2020.

That means it’s time for a refresher, so your practice won’t run afoul of the rules. Take a look at this quick rundown on three HIPAA elements you need to know — along with three nuances for each element to help you keep the regulations straight.

1. Review PHI Parameters

Protected health information (PHI) includes not only information about a patient’s health, but also demographic information. When health information can be linked to a specific individual via one of 18 different demographic identifiers, the information is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers. For the full list, go to: www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ understanding/coveredentities/De-identification/hhs_deid_ guidance.pdf.)

Key: Without an identifier, health data is not PHI. But “if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then, technically, it is no longer PHI,” explains Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations at GEHA in Lee’s Summit, Missouri.

Nuance 1: The identifiers in the list aren’t the only things you must consider. “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person, and thus the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit at Cancer Treatment Centers of America.

2. Know How to Release Patients’ PHI

You may release PHI for patient treatment, payment, and healthcare operations, according to the Department of Health and Human Services (HHS). (www. hhs.gov/hipaa/ for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html). The “Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent” states HHS.

Verify: You must verify the patient’s identity when you obtain patient consent. If the patient cannot give consent in person, then you must verify identity using patient information such as the patient’s date of birth or the last four digits of the patient’s Social Security number — or via a phone call or a secure email through a patient portal.

Nuance 2: Consent only applies to PHI release for purposes of treatment, payment, and healthcare operations. For any other kind of release, you will need an authorization, which the Privacy Rule defines as “a detailed document that gives covered entities permission to use protected health information … to disclose protected health information to a third party specified by the individual.” The document must specify and include, where appropriate, “a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed,” according to the Privacy Rule.

3. Provide Proper Patient Access for PHI

According to the 2019 HHS Office for Civil Rights (OCR) Right of Access Initiative, you must allow individuals to request access to their own records in a designated record set (DRS) that includes laboratory results. For example, if your patient asks for a copy of their records, you must give them a copy of whatever is in their DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Denying patient access could constitute a HIPAA violation.

Patients are not required to fill out an authorization for Release of Records when requesting their own healthcare information, and you must turn the information around within 30 days. You are permitted to charge a reasonable fee, based on your practice’s cost, for the service.

Nuance 3: Patients do not have the right to access their entire medical record. For example, covered entities (CEs) do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content.