Hedge compliance obligations during PHE. Although your lab has some leeway for sharing protected health information (PHI) for the duration of the COVID-19 public health emergency (PHE), you need a sound basis for guiding your disclosure actions to keep you clear of enforcement proceedings. To provide that basis, we’re here to remind you what information PHI includes, and what HIPAA flexibility the feds have sanctioned during the PHE. Look Beyond the Medical Record There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect: o Such as birthday, admission or discharge date, death date o Age (except range ok) o Social Security number o Any other unique identifying number o Phone number o Fax number o Email address Key: PHI is demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of the identifiers, all of that information is regarded as protected. When the information is not linked, it is not PHI. “If a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then no, that would not be protected. Technically, it is no longer PHI,” says Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations, GEHA in Lee’s Summit, Missouri. Tip: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit, Cancer Treatment Centers of America. Clarify PHE-Related Privacy Exceptions Make no mistake, HIPAA continues to apply to covered entities (CEs) and business associates (BAs) during the PHE, but the HHS Office for Civil Rights (OCR) has issued guidance allowing some exceptions. During the PHE, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR. Review this checklist of when CEs can share PHI without authorization, according to OCR guidance: Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient. Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include: Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death. Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety. Imminent threat: If state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats. Resource: For ongoing information regarding HIPAA and the PHE, including the OCR guidance, visit www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.