Health Information Compliance Alert

Covered entities, thanks to the changes made to the uses and disclosures of protected health information, you don't need to worry about a lot of practical nuisances that popped up before Aug. 14.

Before the final privacy rule was modified, covered entities were allowed to share PHI for treatment purposes, but not for payment or health care operations. That all changed, though, when the Department of Health and Human Services issued its modifications in August. As a result of those significant modifications, entities can now share health information freely for treatment, payment and most health care operations. And as it turns out, there are a number of beneficial effects the rule has had on CEs.

To begin with, the new rules will present welcomed relief to ambulance companies, which typically don't collect insurance information from patients at the scene of an accident, says Tom Grove, a principal at Phoenix Health Systems in a Sept. 25 audio conference.

For example, before the final modifications to the privacy rule, after an ambulance had collected a patient and transported him or her to a hospital, the ambulance company would not have been permitted to collect name and insurance information from the hospital that had the patient's registration information. "That would've been a disclosure by the hospital for the purposes of someone else's payment, not their own, and that would not have been permitted even with a signed consent," Grove explains. Ambulance crews can now use that information to submit their bill to the insurance company for services.

Grove says such an event would've required a specific authorization, a burden that the Aug. 14 changes relieve. The change now allows a hospital to share that information with the ambulance company, and to share it with treating physicians in order that the individual entities can deal with their own payment and operations issues, he notes.

Another practical difficulty that arose out of the earlier rule on uses and disclosures of PHI was that many covered entities made sweeping decisions about their organizational structure generally, and didn't merely create organized health care arrangements to help circumvent this particular information sharing difficulty.

Grove admonishes covered entities to review their organizational structure decisions in light of the broader rules in order to determine if it's sensible for entities to alter decisions that they had made before the final rule was published.

"You should review the conditions that are found specifically in section 164.506(c) of the rule for determination of allowable uses," urges Grove. That section relates to health care operations and explains that covered entities may disclose information for health care operations as long as both entities the disclosing entity and the receiving entity have a relationship with the patient and that the reason for requesting the PHI is because it because it pertains to the relationship between the recipient and the patient. "So you can release information from covered entity to covered entity or, in fact, [due to] a reasonable operation of need of the requesting party that's related to a patient that they have in common."

Covered entities should be aware of the new exceptions to the incidental disclosure provisions of the final rule. Incidental disclosures are clearly defined as not violations to the rule as it existed before the modifications. However, covered entities still have to use reasonable safeguards to prevent those incidental disclosures.

For example, what happens if two physicians are sitting in a cafeteria discussing a patient, asks Grove. In this situation, the rule makes it clear that if the physicians are overheard discussing a patient, as long as they've been reasonable and prudent in their discussion, they have not created a violation.

"The example I like to use is, if two physicians are sitting in the corner of the cafeteria discussing a patient and someone walks by and hears the patient's name, that's not a disclosure. If those same physicians are discussing a patient at opposite corners of the cafeteria while using bullhorns, that would not be reasonable and prudent, and that would create a violation," he explains.

The rule relies on the professional judgment of the covered entity and of the entity's employees to make appropriate choices. The exceptions to the rule excuse disclosures that are incidental to an acceptable disclosure if the covered entity has followed both the minimum necessary rule and the reasonable safeguards rule, says Robert Markette, Jr., an attorney with Gilliland &Caudill.

"A good example is a doctor's sign-in sheet," Markette explains. The names of the patients on the sheet, when combined with the fact that they are patients of this doctor, are considered protected health information. The PHI would be disclosed to each patient when they signed in or, say, to the Fed Ex person when he or she dropped off packages.

Markette says under the old rule, this disclosure would have to be prevented, but the new rule states that if the sign-in sheet follows the minimum necessary rule and is safeguarded, disclosures that occur when patients sign in and see other patients' names on the sheet would be excused.

Markette says the problem with this rule is that it may be difficult determining that the safeguards taken by the covered entity were reasonable or that the minimum necessary information was disclosed. However, he believes that the new exception will allow providers to continue business as usual, for the most part, "such as having patients sign in, and discussing a patient's case in a place other than the doctor's lounge."