General Surgery Coding Alert

Correction: HIPAA allows the disclosure of health information for treatment purposes, and does not require a business associate agreement (BAA) for a provider to share health information for the purpose of treating a patient.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between healthcare providers AND the “coordination or management of health care” by a provider and a third party, HHS Office for Civil Rights (OCR) guidance indicates.

Provide Broad Access to Patients

Misconception: Patients do not have right to access their entire medical record.

Correction: You must allow individuals to request access to their own records, for a reasonable cost-based fee, and you only have 30 days of turnaround time to get patients their data. That’s been the rule since the Office of Civil Rights (OCR) instituted its Right of Access Initiative in 2019.

Plus: According to the OCR, you must provide individuals access to their records in a designated record set (DRS). For example, if your patient asks for a copy of his records, you should give him a copy of whatever is in his DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.

Denial of such access could constitute a HIPAA violation. Patients are also not required to fill out an Authorization for Release of Records when requesting their own healthcare information.

Caveat: Exceptions to patient access rights under HIPAA include psychotherapy notes, and health information for civil, criminal, or administrative proceedings.

Consider Public Health and Safety

Misconception: HIPAA prohibits disclosure of PHI, even if it might minimize a threat to health or safety.

Correction: HIPAA allows PHI disclosure to minimize an imminent threat to health or safety of an individual or of the public. You can disclose PHI to persons reasonably able to prevent or lessen the threat.

According to OCR, HIPAA allows disclosures of health information to help with public health and safety issues to:

• Prevent disease
• Help with product recalls
• Report adverse reactions to medications
• Report suspected abuse, neglect, or domestic violence
• Prevent or reduce a serious threat to anyone’s health or safety.

Covered entities (CEs) may also disclose PHI to law enforcement authorities for individuals admitting to a violent crime or who have escaped from lawful custody when the CE believes that physical harm may result without disclosure.

Pandemic reminder: HIPAA applies to CEs and their BAs when the government calls a public health emergency (PHE). However, if a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains OCR in COVID-19 PHE guidance that highlights “how HIPAA supports the use of health information exchanges … to improve the public’s health, particularly during the COVID-19 public health emergency,” according to Roger Severino, past OCR director in a statement regarding the guidance.

Comply with Your State’s Legally Mandated Disclosures

Misconception: Complying with state laws to disclose PHI violates HIPAA.

Correction: HIPAA contains an exception for disclosures required by state law, which commonly require disclosure in cases of suspected child or adult abuse and certain injuries such as bullet wounds.

Bottom line: Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly federal investigations and fines.