Medical billing services, healthcare professionals, and other stakeholders are bound by HIPAA Law or “HITECH Law of 2009” to protect and restrain the misuse of sensitive healthcare information.
When we join a medical
billing company, the first thing that medical billers, coders, auditors,
and physicians learn is to safeguard the Protected Health Information (PHI).
Moreover, there are proper guidelines to avoid the misinterpretation of the
confidentiality of patients' data.
Medical Practices are
Sharing Data with Authorities for Research
Healthcare IT experts have decided that we can find ways to
restrict virus exposure and even prevent another health emergency to happen
with proper data analysis. Thus, at these drastic times, medical practices are
asked to share data for research purposes. In such situations, as a HIPAA-compliant medical facility, how would you respond to such requests? Will there
be any prerequisites for sharing data? What information are healthcare
professionals and outsourcing medical billing companies are allowed to share?
Moreover, it will also affect QPP
MIPS reporting requirements.
There are lots of questions that we have to answer.
The U.S Department of Health and Human Services (HHS) has
answered all these questions without ambiguity. Let's follow through.
Changes in HIPAA Policies during COVID-19
In February 2020, the Office of Civil Rights released a
bulletin for covered entities and business associates about the epistemology of
sharing patient data amidst the pandemic.
They say:
Healthcare entities can release the patient’s data without the
patient's authorization if it’s important to treat another life or that patient
in general. Treatment here refers to the management or coordination among
healthcare entities, such as one or more healthcare professionals, medical billing services, care of providers, and the referrals of patients.
Another thing that we all have to keep in mind is this
relaxation is only in effect during the COVID-19 pandemic (Public Health
Emergency (PHE) and is likely to revert or annul or update when the situation
gets back to normal.
The Situations where we can Share Information without
Patient’s Authorization
Under privacy rules, healthcare service providers can share
PHI in specific cases without prior authorization.
So, what are those cases?
Only the Public Health Authority, for instance, the CDC or a
state or local health department can receive or share data to prevent any
public health emergency, disability, or disease. It includes all reportable
cases such as disease, injury, births, deaths, and surveys for public health
surveillance, investigations, or interventions.
Explicitly speaking, a covered entity may disclose PHI to
the CDC regularly as needed to report cases (prior and prospective) of patients
exposed, suspected, or confirmed to have Novel Coronavirus.
Severe Cases When Health Providers Can Share PHI
Moreover, there are other severe cases where clinicians are
allowed to share information such as,
- When the patient is unconscious, but it is in the best interests of the patient
- When
disaster relief organizations (For Example, Red Cross) are unable to
operate fairly in an emergency
- When
there is a person or public in general with a critical health condition to
prevent them from a fatal condition
Having stated these non-consensual cases, it is the best
practice for healthcare organizations or medical billing companies to ask for
permission from patients. However, unfortunately, it is not the case in most
cases because the patients might not be in a condition to allow anything.
Be Careful About What You Share
Clinicians must
avoid releasing information about specific tests, test results, or details of a
specific illness or treatment without proper consent from the patient or the
representative party!
QPP MIPS reporting neither
criteria nor do HIPAA compliance rules allow it.
How is the Pandemic Holding Up with the HIPAA Compliance?
The relaxations in the privacy policies are in favor of a
progressive and active healthcare system. However, some conditions are not
changed, such as the Minimum Necessary constraint, unless another healthcare
professional requires the information.
This stance is explained in the press release as:
A covered entity depends on the CDC that the protected
health information (PHI) requested by the CDC about all patients exposed or
suspected or confirmed to have coronavirus is the minimum necessary case for
the public health purpose. Furthermore, patients can restrict access to their
information for the workforce members who need it to perform several tasks or
research.
Conclusion
The relaxations subjected to the privacy rules of HIPAA
compliance don’t imply any loose ends for security measures. The parties
associated with the information, such as covered entities, billing
services, MIPS Qualified Registries, and clinicians, must adopt all means to protect information
from falling into the wrong hands.
The authorities presented several press releases as the
pandemic progressed. One of them was released on April 2, 2020, saying that:
Starting instantly, there would be no penalties for exposing
information under the HIPAA Privacy Rules for goodwill purposes for all
business associates during the pandemic.
Hopefully, it helps scientists to highlight meaningful
aspects of a progressive healthcare system. Moreover, it allows physicians
long-term relaxation without compromising patients' privacy and quality
healthcare for QPP MIPS reporting.