Get ready to go b eyond your current comprehension of the law. On Jan. 11, 2023, the United States Department of Health and Human Services (HHS) extended the COVID-19 public health emergency (PHE) for another 90 days. This means some current HIPAA waivers are still in place. But the writing is on the wall, as the Biden administration has finally announced an end date: May 11, 2023. So, before that date rolls around, you’ll want to refresh your memory of the HIPAA regulations as they apply to your patients. Here, then, is a refresher on three key HIPAA concepts. But, as with all rules and regulations, applying them is not always straightforward. That’s why we’ve also included three significant nuances for each element to help you navigate the gray areas of this significant patient right.
1: Understand What Is Protected in PHI Protected health information, or PHI, includes demographic information as well as information about a patient’s health. When health information can be linked to a specific individual via one of 18 different demographic identifiers, the information is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers. (For the full list, go to: www. hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/ coveredentities/De-identification/hhs_deid_guidance.pdf.) The key to understanding PHI, then, is knowing when an identifier links a specific individual with specific health information. If it does, then the information is protected. But “if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then, technically, it is no longer PHI,” explains Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations at GEHA in Lee’s Summit, Missouri. Nuance (1): “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person, and thus the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit at Cancer Treatment Centers of America. 2: Know How to Release a Patient’s PHI Correctly For the release of “protected health information for treatment, payment, and healthcare operations” the “Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent” according to the HHS (Source: www.hhs.gov/ hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html). That consent must be accompanied by verification of the patient’s identity. If the patient cannot give consent in person, then you must obtain it through verifying such patient information as the patient’s date of birth or the last four digits of the patient’s Social Security number — or via a phone call or a secure email through a patient portal. Nuance 2: Consent only applies to PHI release for purposes of treatment, payment, and healthcare operations. For any other kind of release, you will need an authorization, which the Privacy Rule defines as “a detailed document that gives covered entities permission to use protected health information … to disclose protected health information to a third party specified by the individual.” The document must specify and include, where appropriate, “a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed,” according to the Privacy Rule. 3. Know Patient Access Rights to Their Own PHI According to the 2019 Office of Civil Rights (OCR) Right of Access Initiative, you must allow individuals to request access to their own records in a designated record set (DRS) that includes laboratory results. For example, if your patient asks for a copy of their records, you must give them a copy of whatever is in their DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Denial of such access could constitute a HIPAA violation. Patients are not required to fill out an authorization for Release of Records when requesting their own healthcare information, and you must turn the information around within 30 days. You are permitted to charge a reasonable fee, based on your practice’s cost, for the service. Nuance 3: Patients do not have the right to access their entire medical record. For example, covered entities (CEs) do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content.