Pathology/Lab Coding Alert

HIPAA:

Learn These 3 Truths and 3 Myths about PHI

Hint: De-identifying records may allow you to scrub PHI from them.

From patient names to medical records, you may be quite familiar with how to protect these types of protected health information (PHI). However, there are over a dozen types of PHI, and the rules surrounding how to keep them all safe can be confusing.

Your ability to protect patients’ PHI is integral to avoiding a HIPAA breach, so it’s important to familiarize yourself with three key truths about PHI and three myths.

Truth 1: PHI Goes Far Beyond the Medical Record

There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected — even URLs and license plate numbers. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect:

1. Name

2. Address

3. Birthdate and other corresponding dates of admission, discharge, death, etc.

4. Landline and cellphone numbers

5. Fax numbers

6. Email addresses

7. Social Security Number

8. Medical record number

9. Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)

10. Account number

11. State identification or license number

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. URLs

15. IP addresses

16. Biometric identifiers like finger or voice prints

17. Photo or image of patient, specifically the face

18. Any other unique code, characteristic, image, or number that identifies the individual

Essentially, anything that can identify the patient to other people is considered PHI. For instance, if a patient’s name is John Smith but everyone in town calls him Smitty, then the name “Smitty” would count as part of the patient’s PHI.

Truth 2: De-Identifying Medical Records Removes PHI

Despite the fact that almost everything related to a patient’s identity is considered PHI, there are ways to remove that data from a record so it no longer qualifies as protected health information. In fact, if a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then it would no longer be protected under HIPAA. Technically, at that point it is no longer PHI.

If you aren’t sure whether a patient’s PHI has been appropriately scrubbed enough to remove it from a record, then it’s important to consult a healthcare attorney to confirm that you’ve taken care of it.

Truth 3: Healthcare Providers Can Share PHI for Treatment Purposes

Your pathologist can share protected health information about a patient with another provider in relation to that patient’s care. In addition, you do not need to have a business associate agreement (BAA) in place before you share PHI for the purpose of treating a patient. Under the HIPAA Privacy Rule, clinical care information can be readily exchanged between providers. This means your pathologist can talk to another provider about a patient’s lab results for the purposes of a patient’s care without worrying they have breached HIPAA.

Remember, however, that when you share that PHI with other providers, you must do so in a HIPAA-sanctioned way, such as through encrypted email.

Myth 1: Your Practice Owns the PHI, So Patients Can’t See It

Many healthcare providers believe the patient’s PHI belongs solely to the practice, and that even the patient isn’t allowed to see it, but that’s a myth. You must allow individuals to request access to their own records — this is a requirement under the HIPAA law.

In addition, patients aren’t required to fill out an Authorization for Release of Records when requesting their own healthcare information. If you deny or withhold a patient’s records, you could face steep fines and penalties.

Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal, or administrative proceedings.

Myth 2: HIPAA Prohibits PHI Disclosures, Even When Danger Is on the Line

In situations when the health or safety of others is in danger, your practice is permitted to disclose PHI to people reasonably able to prevent or lessen the threat, including law enforcement authorities.

According to the Office of Civil Rights (OCR), HIPAA allows disclosures of health information to help with public health and safety issues to:

  • Prevent disease
  • Help with product recalls
  • Report adverse reactions to medications
  • Report suspected abuse, neglect, or domestic violence
  • Prevent or reduce a serious threat to anyone’s health or safety.

Myth 3: State Laws Don’t Trump PHI Disclosure Rules

Although some practices believe they can’t disclose PHI even in instances when state law requires them to do so, that’s a myth. In fact, the HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound.

HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake your lab should avoid making.

Torrey Kim, Contributing Writer, Raleigh, N.C.