Oncology & Hematology Coding Alert

And remember these gray areas when you’re in doubt.

Whether it’s time for your annual HIPAA review or you’re just refreshing your memory, it’s important to keep in mind that HIPAA regulations are not always cut and dried.

One component of HIPAA that many healthcare professionals consistently misunderstand is protected health information (PHI). For example, you may think that it is safe to reveal patient information when all the patient identifiers have been removed, but that may not be the case. You may also not know who should have permission to view the patient’s health record without the patient’s consent. And you may not know that patients themselves can be denied access to their own health information under certain circumstances.

So, here are three things you need to know about PHI to stay on the right side of the privacy laws, along with three accompanying gray areas that will add to your HIPAA knowhow.

1: Understand How PHI Is Protected

PHI, essentially, is demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of 18 different identifiers, it is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers. (For the full list, go to: www. hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/ coveredentities/De-identification/hhs_deid_guidance.pdf.)

The key to understanding PHI, then, is knowing when an identifier links a specific individual with specific health information. If it does, then the information is protected. But “if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then technically, it is no longer PHI,” explains Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations, GEHA in Lee’s Summit, Missouri.

Gray area 1: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information` needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, compliance and privacy officer, AVP, at City of Hope in Atlanta, Chicago and Phoenix.

2: Know How to Release a Patient’s PHI Correctly

For the release of “protected health information for treatment, payment, and healthcare operations” the “Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent” according to the U.S. Department of Health & Human Services (HHS) (source: www.hhs.gov/hipaa/ for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html).

That consent must be accompanied by verification of the patient’s identity. If the patient cannot give consent in person, then you must obtain it through verifying patient information such as the patient’s date of birth or the last four digits of the patient’s Social Security number, via a phone call or a secure email through a patient portal.

Gray area 2: Consent only applies to PHI release for purposes of treatment, payment, and healthcare operations. For any other kind of release, you will need an authorization, which the Privacy Rule defines as “a detailed document that gives covered entities permission to use protected health information … to disclose protected health information to a third party specified by the individual.” The document must specify and include, where appropriate, “a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed,” according to the Privacy Rule.

3. Know Patient Access Rights to Their Own PHI

According to the 2019 Office of Civil Rights (OCR) Right of Access Initiative, you must allow individuals to request access to their own records, including laboratory results, in a designated record set (DRS). Simply put, “if your patient asks for a copy of their records, you must give them a copy of whatever is in their DRS,” says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Denial of such access could constitute a HIPAA violation.

Patients are not required to fill out an authorization for release of records when requesting their own healthcare information, and you must provide it within 30 days. You are permitted to charge a reasonable fee, based on your practice’s cost, for the service.

Gray area 3: Patients do not have the right to access their entire medical record. For example, covered entities (CEs) do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content.

Additionally, “notes pertaining to active research that include treatment can also be denied from access by the patient,” says Leah Fuller, CPC, COC, senior consultant at Pinnacle Enterprise Risk Consulting Services, Charlotte, North Carolina. “Often, as party to the study, patients agree to such a restriction to their records. This typically ends once the research has been completed,” Fuller adds.

For more information on patient access to their own records, go to www.hhs.gov/hipaa/for-professionals/privacy/guidance/ access/index.html.