Orthopedic Coding Alert

Compliance:

Get Hip to Post-PHE HIPAA World Before it Arrives

Here’s how to ready your practice for PHE end times.

The COVID-19 public health emergency (PHE) is currently still ongoing, but there’s now confirmation that it will not last forever — despite it feeling that way.

The Biden administration named May 11 as the PHE end date. After this date, most (if not all) of the current HIPAA waivers will disappear. Coders in the know will want to refresh their memories of the HIPAA regulations as they apply to patients.

To help practices stay HIPAA compliant post-PHE, we’ve compiled a refresher on three vital elements of HIPAA. We’ll also discuss significant nuances for each element, assisting you in the gray areas of this significant patient right.

1: Be Super-Savvy on PHI Protections

Protected health information, or PHI, includes demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of 18 different demographic identifiers, the information is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers. (For the full list, go to: www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ understanding/coveredentities/De-identification/hhs_deid_ guidance.pdf.)

The key to understanding PHI, then, is knowing when an identifier links a specific individual with specific health information. If it does, then the information is protected. But “if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then, technically, it is no longer PHI,” explains Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations at GEHA in Lee’s Summit, Missouri.

Nuance 1: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person, and thus the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit at Cancer Treatment Centers of America.

2: Have HIPAA Release Info Know-How

For the release of “protected health information for treatment, payment, and healthcare operations” the “Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent” according to the HHS (Source: www.hhs.gov/ hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html).

That consent must be accompanied by verification of the patient’s identity. If the patient cannot give consent in person, then you must obtain it through verifying such patient information as the patient’s date of birth or the last four digits of the patient’s Social Security number — or via a phone call or a secure email through a patient portal.

Nuance 2: Consent only applies to PHI release for purposes of treatment, payment, and healthcare operations. For any other kind of release, you will need an authorization, which the Privacy Rule defines as “a detailed document that gives covered entities permission to use protected health information … to disclose protected health information to a third party specified by the individual.” The document must specify and include, where appropriate, “a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed,” according to the Privacy Rule.

3. Be Ready for Patients’ PHI Requests

According to the 2019 Office of Civil Rights (OCR) Right of Access Initiative, you must allow individuals to request access to their own records in a designated record set (DRS) that includes laboratory results. For example, if your patient asks for a copy of their records, you must give them a copy of whatever is in their DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Denial of such access could constitute a HIPAA violation.

Patients are not required to fill out an authorization for Release of Records when requesting their own healthcare information, and you must turn the information around within 30 days. You are permitted to charge a reasonable fee, based on your practice’s cost, for the service.

Nuance 3: Patients do not have the right to access their entire medical record. For example, covered entities (CEs) do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content.