Pathology/Lab Coding Alert
Bust These 4 PHI Disclosure Myths
Patients can request lab results.
There’s such a thing as protecting “protected health information” (PHI) too much. Sure you need to know when to keep things private, but you also need to know when and how to legitimately share PHI.
Read on and let our experts dispel four myths to keep your PHI disclosure running smoothly
Maneuver Provider Restrictions
Myth 1: HIPAA prevents or limits healthcare providers from sharing PHI between each other to provide care for a patient.
Reality: “This is not true,” stressed healthcare attorney Casey Moriarty in a blog posting for Ogden Murphy Wallace Attorneys. “HIPAA allows the disclosure of health information for treatment purposes.”
“I also commonly hear the idea that HIPAA requires a business associate agreement [BAA] in order for a provider to share health information for the purpose of treating a patient,” Moriarty noted. This is also untrue.
“In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between healthcare providers AND the ‘coordination or management of health care’ by a provider and a third party,” Moriarty said. “The third party does not even have to be a healthcare provider!”
Open Patient Access
Myth 2: Patients do not have an unfettered right to access their entire medical record.
Reality: If you believe that your lab or pathology practice, not the patient, has ownership of the patient’s PHI, and that you have no obligation to give the patient unrestricted access, you’re wrong. And this opinion has led to more than one HHS Office for Civil Rights (OCR) investigation, Moriarty warned.
You must allow individuals to request access to their own records, for a reasonable cost-based fee, according to Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, VT. And you no longer have a 30-day extension for offsite data.
Additionally, you must now also furnish laboratory information to the patient or his authorized representative, Sheldon-Dean says. About a year ago, a final rule removed lab results from the list of information that you may deny the patient access to.
“HIPAA gives patients broad rights to access their health information and healthcare providers are required to honor patient requests. Denial of such access could constitute a HIPAA violation,” Moriarty said. “Patients are also not required to fill out an Authorization for Release of Records when requesting their own healthcare information.”
Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal, or administrative proceedings, Sheldon-Dean notes.
Keep Health and Safety Threats in Mind
Myth 3: HIPAA prohibits disclosure of PHI, even if that disclosure might minimize a threat to health or safety.
Reality: HIPAA actually encourages the disclosure of health information to minimize an imminent threat to health or safety of an individual or of the public, Moriarty said. You can disclose PHI to persons reasonably able to prevent or lessen the threat, including law enforcement authorities.
According to OCR, HIPAA allows disclosures of health information to help with public health and safety issues to:
Comply with Your State’s Legally Mandated Disclosures
Myth 4: Complying with state laws that require certain disclosures violates the HIPAA Privacy Rule.
Reality: The HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law, Moriarty states. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound.
HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential, Moriarty stressed. “Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.”
Bottom line: When it comes to PHI disclosures, “HIPAA does not always mean ‘no,’” Moriarty said. “Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.”
Related Articles
Pathology/Lab Coding Alert
- 2016 Update:
Expect 2-Tier Drugs-of-Abuse Reporting for Medicare
Continue to ignore CPT® drug codes. The two proposed “G” codes for Medicare drug-test coding [...] - Toxicology:
Understand Screening vs. Confirmatory Testing
Grasp ‘definitive’ terminology, too. If your lab performs toxicology testing, you need to understand the [...] - HIPAA Compliance:
Bust These 4 PHI Disclosure Myths
Patients can request lab results. There’s such a thing as protecting “protected health information” (PHI) [...] - Reader Question:
Learn Hemoglobin A1C Frequency Limitations
Question: We often get orders for hemoglobin A1C tests from physicians for patients with diabetes. Sometimes [...] - Reader Question:
Select Procedure Code for Soft-Tissue Mass
Question: Our pathologist received a specimen identified as a biopsy of a “soft tissue mass” of [...] - Reader Question:
Change 'BPH' to 'Enlarged Prostate'
Question: The pathologist examines a prostate biopsy and diagnoses “benign prostatic hypertrophy (BPH).” The referring urologist [...] - You Be the Coder:
Learn 'Unspecified' and 'Other Specified' ICD-10 Distinction
Question: We’ve observed that some codes we commonly used under ICD-9 don’t have a one-to one [...]
