General Surgery Coding Alert

Don’t shirk ‘prior authorization’ requirement.

In case your surgery practice lost its focus on HIPAA compliance in light of the onslaught of COVID-19 pandemic information, the feds have news for you.

The HHS Office for Civil Rights (OCR) issued a recent HIPAA Privacy Rule update to make sure you keep privacy in mind while dealing with COVID-19 patients. Read on to see how we parse the update for what you need to know.

Put Patient Privacy First

The OCR update serves as a reminder to covered entities (CEs) that their first priority is to safeguard patients’ protected health information (PHI) — even during the pandemic.

In a nutshell, CEs must ensure prior authorization is in place before allowing the media to film patients during a pandemic. For surgeons, that might mean protecting images of patients in COVID-19 wards or other facility locations where media may stray.

“Even during the current COVID-19 public health emergency [PHE], covered healthcare providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI,” warns OCR in a release. “The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access.”

Understand the Differences Between ‘Consent’ and ‘Authorization’

Simply put, patients agree to allow providers to treat them, and that registers usually as verbal consent. Moreover, CEs “voluntarily” procure this patient consent, so they can use and disclose PHI for “treatment, payment, and healthcare operations,” OCR guidance maintains.

On the other hand, authorization is something completely different and refers to a written record obtained by the CE from the patient, allowing PHI to be used for different purposes. This is usually necessary because PHI is being utilized or disclosed for something that isn’t typically sanctioned under the Privacy Rule. In this case, “voluntary consent is not sufficient to permit a use or disclosure” of PHI, so a valid authorization is required, OCR clarifies.

Here’s the Reason the Feds Offered Extra Guidance

As part of the PHE, OCR has announced several notifications of HIPAA enforcement discretion to ease restrictions due to COVID-19, such as relaxing rules on telehealth technology. But just because the feds offer CEs and their business associates some regulatory relief with these good faith provisions for HIPAA noncompliance doesn’t mean that the rules don’t apply to the majority of healthcare scenarios.

With an increased media presence in many facilities, the chance for patients’ PHI to be exposed or hijacked is high. That’s why OCR felt it necessary to revisit HIPAA’s prior authorization requirements as a protection for both patients and providers.

“HHS’ guidance provides several examples of PHI in treatment areas, including how the mere presence of a patient in the area of a healthcare facility dedicated to treating a specific disease, such as COVID-19, reveals the patient’s diagnosis,” explain New York-based attorneys Victoria Anderson and Francisco Cebada with Kelley Drye & Warren LLP in online legal analysis. “As such, members of the media entering a healthcare facility’s treatment areas immediately have access to PHI they can see, hear, and record.”

Reminder: According to the HIPAA Privacy Rule, it’s never acceptable “to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media,” notes the new OCR guidance. Plus, a HIPAA authorization should never be a condition of whether or not a patient receives treatment, the agency stresses.

Additionally, OCR reminds facilities that mask wearing does not equate to HIPAA compliance and is not something the agency considers a safeguard. However, the update does offer some examples of what OCR considers security measures to go hand-in-hand with signed authorization forms. Those include:

• Privacy screens that obscure easy-to-see PHI on computers, monitors, medical equipment, and other technical or medical devices
• “Opaque barriers” between areas — especially around patients without signed authorization documents

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said OCR Director Roger Severino, in a release. “Hospitals and healthcare providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino cautioned.

Include ‘Core Elements’ in Your Authorization Form

Though the feds offer covered CEs some leeway on their implementation of HIPAA management — including the design of authorization forms — there are some necessary parts you must add to ensure your documents are legally valid.

Context: Under the HIPAA Privacy Rule, CEs are allowed to use PHI for treatment purposes without patients’ authorization. However, if CEs want to use or disclose patients’ data for things as varied as marketing, social media, news reports, and more to third parties, they must have a signed authorization form on file.

There are “core elements” that your authorization form must include to make it valid under the law, indicates an OCR decision tool. The HIPAA Privacy Rule mandates the following requirements:

• A specific description of the PHI to be used or disclosed
• The names of the person or organization authorized to make the disclosure of the PHI
• The names of the third parties receiving the information
• A description of each purpose or reason for the use or disclosure of the data
• An expiration date or event end date related to the data sharing
• The individual’s signature, whose PHI is being used or disclosed, or their representatives’ signatures with the signing date

Cost: OCR has penalized covered providers in the past who failed to secure their patients’ PHI with written authorizations before the video cameras started rolling — and the fines have been steep.

“Healthcare providers that permit filming without taking appropriate privacy measures may be televising costly HIPAA compliance failures to a watchful HHS,” warn Anderson and Cebada.

Resources: Find OCR’s updated guidance at www.hhs.gov/sites/default/files/guidance-on-media-and-film-crews-access-to-phi.pdf.