Privacy
I am a photojournalist doing photography work for Paramedic Text books and Paramedic trade journals and for the EMS agency itself to use the material for training, etc. The EMS agency is willing to allow me to ride to calls with EMS crews to obtain this material. I understand that in a patient's home I cannot photograph the paramedics unless I have approval from the patient and the EMS crew feels it will not be a determent to the patient. Furthermore I am bound by third party laws pertaining to invasion of privacy and would always need to secure consent and obtain a signed release before any publication. This is required even if there were no HIPAA requirements. The same goes for any photographs of the patient in the ambulance.
We have prepared a release for publication for the patient to sign.
I understand that as a photojournalist I am not considered a HIPAA entity
however I must take steps to ensure the EMS agency is not violating any
HIPAA privacy laws. Have I covered all of the bases as it pertains to
HIPAA? Is there anything that we are doing that might not meet HIPAA
requirements?
I suggest you follow the process currently in place for release of
information in regards to taking the photographs. I also suggest that you
sign a business associate agreement (BAA) with the EMS agency. This agency
is considered a covered entity (CE) under the HIPAA guidelines and
therefore must follow those regulations. Any outside individual or
organization that the CE shares or exposes this protected health
information (PHI) with, which the covered entity must secure and keep
private, must enter into a BAA. The BAA states that the non-covered entity
will treat this PHI in the same manner as the CE. During these encounters
with patients, you will see and hear PHI and this must be protected
therefore the BAA will protect the patient and the EMS agency. Here is a
link for a sample BAA drafted by the Office for Civil Rights through the
Department of Health and Human Services:
http://www.hhs.gov/ocr/hipaa/contractprov.html
(Posted 3/1/04)
I work with a major healthcare administrator who is looking at
outsourcing the folding/inserting and mailing of forms and billings. I
believe that having the mail house personnel handle these items would be a
violation of privacy issues. An I correct?
It is not a HIPAA violation to outsource health care operations.
However, as a covered entity, you are responsible for the privacy and
security of this protected health information. Therefore, protected health
information that is being shared must be protected under a business
associate agreement. This agreement tells the outsourcing organization
that this information must be protected the same way your organization
would as a covered entity.
The following link will take you to a sample business associate
contract:
http://www.hhs.gov/ocr/hipaa/contractprov.html
(Posted 3/1/04)
I work in an acute care setting and often we receive attorney
requests for patients they are representing. The request states production
of "any and all" records. Under the minimum necessary standard, shouldn't
we be asking the attorney to be more specific and spell out any dates of
service they need to adequately litigate case for the patient? Our
correspondence clerks feel that they have to go into cold storage and copy
all visit records from 7-10 years prior.
You are correct, minimum necessary does come into play concerning
release of information. An attorney must also notify the patient and
request signature if at all possible.
Noted below are the minimum requirements covered entities will be looking
for in an authorization form:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
- The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
- A description of each purpose of the requested use or disclosure
- An expiration date or expiration of event (i.e. end of trial)
- Signature of individual and date
If the release of information is requested as a court order or in a dispute you must follow those specific guidelines. You can find the actual privacy regulation and download from the following link
- http://www.hhs.gov/ocr/combinedregtext.pdf
- Refer to section 164.512(e)
(Posted 2/10/04)
I am the Records Manger for El Paso County in Colorado Springs,
Colorado. The function of my department is to store documents for the
various office/departments throughout the county and retrieve the files
when they are needed. When a document is needed, the user sends an email
to our Help Desk with the indexing information and creates a work ticket.
This ticket is printed on our printer (which is located in a locked office
area) and we use this to look up the box location. The work ticket is kept
in a filing cabinet until the document is returned. When the document is
returned, the work ticket is placed in a recycle bin where the papers will
be shredded. We store medical files for the inmates under the Sheriff’s
office and medical files for the Health Department. When either one of
these users need a file, the information emailed is a name only for the
Health department and a name, admit number and sometimes a date of birth
or a social security number for the Sheriff. The email is sent to a
distribution list that includes four people working on the help desk and
the three Records Center staff members. My question is this: are there any
HIPAA violations by handling the requests in this fashion?
From the process you are describing, it sounds like you have certainly
thought this through and are taking steps to protect PHI. What you are
doing by supplying these records comes under the heading of health care
operations and therefore allowable. The only operation that makes me a
little nervous is the email process but this too is okay as long as the
email is secure. Your policy and procedure, which you are following is
well constructed and I suggest that this policy is documented and all
employees involved educated on this process.
(Posted 2/10/04)
My wife has been to several doctors to try to find out why she has
tremendous pain in her leg. She was finally referred to a "Pain Management
Clinic". Every doctors office we have been to allowed me, her spouse, to
accompany her to the exam room on the very first and subsequent visits,
but this "Pain Management Clinic" refused to allowed me to accompany her
during the initial exam. They stated that due to the new "HIPAA"
regulations, no one but the patient is allowed during the initial exam. Is
this true? Does the HIPAA rules state this? Or is this possibly just the
protocol of this particular office?
Unfortunately many policies have been blamed on HIPAA and that seems
to be the case in this instance as well. The practice may certainly want
to check with a new patient before disclosing their protected health
information with others. However, if your wife states that you are to be
involved in her care and she does not wish to have any information kept
from you, this information may then be shared. The office may wish to have
a private meeting with the patient and that my be part of their policy but
it is not a HIPAA policy.
(Posted 2/10/04)
Is it considered a violation of HIPAA if a nursing student of an
accredited school reviews their own medical chart at a hospital?
Especially if no information was altered or passed on beyond that student
themself?
The definition of “health care operations” in the Privacy Rule
provides for “conducting training programs in which students, trainees, or
practitioners in areas of health care learn under supervision to practice
or improve their skills as health care providers.” Covered entities can
shape their policies and procedures for minimum necessary uses and
disclosures to permit medical trainees access to patients’ medical
information, including entire medical records. However, nursing students
must work under the same policies as the employees of the hospital.
Minimum necessary refers to the minimum amount of information that is
necessary to perform the employee's task. Therefore, reviewing the
student's individual medical record does not fall under that definition
and probably violates the organization's policy.
(Posted 2/10/04)
I work for an ambulance service that transports patients to and from
hospitals, extended care facilities and home address. Is it against HIPAA
to look at the patients packet of medical paper work that is given to us
from the hospital and or medical facility's. A lot of the time we have to
look at the records to find out what is wrong with the patient or
medications they
are on due to possible complications during transport. We also have to
document patient history in our run report. We also get patient face
sheets with patient information on it such as address, SS#, birth date,
insurance #, Guardian info, etc, etc.... Is any of this against HIPAA and
what are our limitations being a ambulance service?
The HIPAA Privacy Rule permits an ambulance service or other health care
provider to disclose protected health information about an individual,
without the individual’s authorization, to another health care provider,
such as a hospital, for that provider’s treatment of the individual. The
provider may also disclose this information to an ambulance service as
they are taking part in the treatment of the patient by transporting the
patient in a safe manner. This requires sharing health information.
See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
(Posted 2/10/04)
We are self-funded and self-insured for our health plan. Can you
help with a hypothetical situation? A police officer has a hospital stay
and in the medical notes I find out he has Hepatitis. He is returning to
work as a police officer, is there any information that I can share with
his Police Chief that he has a contagious disease because he will be
around fellow police officers and the public? So far from what I have read
I see no exclusion unless he signs an authorization for me to share this
information.
All States have laws that require providers to report cases of
specific diseases to public health officials. The HIPAA Privacy Rule
permits disclosures that are required by law. Furthermore, disclosures to
public health authorities that are authorized by law to collect or receive
information for public health purposes are also permissible under the
Privacy Rule. In order to do their job of protecting the health of the
public, it is frequently necessary for public health officials to obtain
information about the persons affected by a disease. In some cases they
may need to contact those affected in order to determine the cause of the
disease to allow for actions to prevent further illness.
The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices. See the fact sheet and frequently asked questions on this web site about the public health provision for more information.
Therefore, you should follow your state's protocol and report the information to the public health agency and not to the Police Chief. The agency will follow correct protocol if a danger to others is anticipated. (Posted 2/10/04)
I work in the HR Dept. at a medium sized company and, as a
department, We would like to send get well cards to employees who are out
on FMLA/Medical Leave. Could this be considered a violation of HIPAA?
As long as your company is not considered a Covered Entity. Also HR
records which are a subset of the employee records are not considered
Protected Health Information. If an employee submits notice for a medical
leave, this information has nothing to do with the HIPAA Privacy
Regulation. Your HR department may follow whatever privacy and
confidentiality policies it has developed and this will not be seen as a
HIPAA violation.
(Posted 2/10/04)
I am working with an insurance company to produce materials that
encourage their insured customers to live healthier lifestyles that would
lower insurance and healthcare cost over time. I would like to compare use
of healthcare services at the beginning of the project to levels of use
one year later. Can insurance companies publish statistics based on
patient data regarding use of healthcare services?
Where a covered entity discloses only a limited data set to a business
associate for the business associate to carry out a health care operations
function, the covered entity satisfies the Rule’s requirements that it
obtain satisfactory assurances from its business associate with the data
use agreement. For example, where a State hospital association receives
only limited data sets of protected health information from its member
hospitals for the purposes of conducting and sharing comparative quality
analyses with these hospitals, the member hospitals need only have data
use agreements in place with the State hospital association. Therefore
since you will be using this information for health care operations and I
assume you are acting as a Business associate and have signed that
agreement, nothing further is necessary. However, publishing this
information can only be done with completely de-identified aggregate data.
Anything that is published can not in any way identify patients without
their authorization.
(Posted 2/10/04)
I work for an insurance company in Oklahoma. The company's name is
Old Surety Life Insurance Company. It is owned by Enterprise Holding
Company. Enterprise Holding Company also owns Enterprise Marketing
Corporation which is an insurance agency. Old Surety Life, the insurance
company, has approx. 10,000 medicare supplement insurance policyholders.
Can Old Surety Life Insurance Company provide basic information to
Enterprise Marketing Corporation about it's policyholders such as name,
address, city, state, zip, DOB, and agent without disclosing to the
policyholders that it is sharing this information? Can Old Surety Life
Insurance Company provide this same basic information to Enterprise
Marketing Corporation about it's policyholders such as name, address,
city, state, zip, DOB, and agent if it provides a value added benefit?
It appears you are attempting to market protected health information.
Under HIPAA if a health care operation communication does not fall within
one of the specific exceptions to the marketing definition, and the
communication falls under the definition of “marketing,” the Privacy
Rule’s provisions restricting the use or disclosure of protected health
information for marketing purposes will apply. For these marketing
communications, the individual’s authorization is required before a
covered entity may use or disclose protected health information.
The following link will provide additional guidance concerning marketing. This link will take you to the Marketing Fact Sheet developed by HHS. http://hhs.gov/ocr/hipaa/guidelines/marketing.pdf (Posted 2/10/04)
Are sign in sheets allowed to be used in the patient area?
Yes, sign in sheets are allowed. However, you should take a reasonable
approach to protecting this information. Therefore, a minimum amount of
information should be requested. By marking through names periodically
with a marker that will obliterate that information, you are making an
extra effort to protect PHI. If you proceed with many of these regulations
with how you would like to see your PHI or that of a loved one's
maintained, it will be easier to determine what is considered a reasonable
attempt to protect PHI.
(Posted 2/10/04)
I work for a Manufacturing Co who has posted notices that all Dr.
excuses must have the diagnosis on them. This seems that this is a privacy
issue. I don't know where or who might see this information.
This may very well be a privacy issue but it is not a HIPAA privacy
violation. The manufacturing company is not considered a HIPAA covered
entity and therefore does not fall under the guidelines of that
regulation. It appears that this is simply a company policy which they
feel is necessary to maintain adequate staffing and control call-offs.
Hopefully those persons that are in charge of receiving this information
are professional and will maintain your privacy.
(Posted 2/10/04)
The medical office, which I visited recently, provided my personal
information to a laboratory, where my test has been performed without my
permission to use this information . I received to my home address the
giant bill for this test. The staff of medical office didn't make me aware
that this test must be done outside and is supposed to be paid directly to
the laboratory. Was there a violation of my privacy from the side of
medical office, because I didn't sign ANY paper to release my information
out of this office?
Under the new HIPAA regulation, Covered entities such as your medical
office may supply personal information for treatment, payment, and health
care operations. Therefore, the exchange of information given to the
laboratory is not a violation of HIPAA. The medical office should include
this type of disclosure in their Notice of Privacy Practices which you
should have received after April 14, 2003. Aside from HIPAA, communication
is vital between patients and health care workers. Please be aware that
you have the right to ask as many questions as possible for you to
understand your care and the processes involved in your care. Clear
communication is the key and certainly leads to an informed patient. You
may also inform your physician of any concerns you may have with
disclosure of your protected health information and ask for specific
restraints on that information.
(Posted 2/10/04)
I am in a custody case and my ex wife's attorney subpoenaed several
local hospitals. Without my knowledge or consent and without a court
order, the hospital disclosed my medical records going back over 20 years.
Assuming this is a violation of my rights under the new law, what action
can I take?
Since I am not sure of the reason for subpoenaed records The section
of the regulation you would want to review is
§ 164.512. I am including the link to the regulation
http://www.hhs.gov/ocr/combinedregtext.pdf. The section you are
looking for starts on page 24 of the actual regulation. Please carefully
read through this section and determine if your rights were violated. If
after reading you believe your rights have been violated you may file a
complaint with the covered entity which released those records by
contacting their privacy officer. You may also file a complaint with the
Office of Civil Rights (OCR) I am including a link that will take you to
the OCR Fact Sheet with all the instructions on how to file a HIPAA
complaint. The OCR receives and investigates all HIPAA Privacy complaints.
But in order to be heard you must follow the guidelines noted in this fact
sheet.
http://www.hhs.gov/ocr/privacyhowtofile.htm
(Posted 2/10/04)
We are a pediatric clinic and all PHI maintained is regarding our
pediatric patients. I understand the HIPAA standards regarding disclosure
for judicial/administrative activities and law enforcement purposes. My
question is: what if law enforcement were to ask us for information
regarding the parent of a pediatric patient for identification/location,
warrant or process, etc. Demographic information for the
parent/patient/family is contained within the patient's PHI.
As long as you are following the same protocol regarding release of
information of the patient, the demographic parent information will fall
under the same guidelines. In other words if the process is followed
according to the HIPAA regulation and you feel that it is permissible to
divulge the PHI, the demographics of the parents is also permissible to
divulge.
(Posted 2/10/04)
My friend's father has just been hospitalized for a serious illness
and cannot communicate. He is in a semi-coma state. He is married to his
second wife and the hospital and physicians will only release information
to her. She is in her 80s and is not in a position to make effective
decisions or understand what the providers are recommending. She
acknowledges this and is willing to allow my friend to be the decision
maker on her father's care but the facility and providers will not release
any information to my friend. Unfortunately, this illness was unforeseen
and there is no HIPAA authorization on file to allow release of info to
anyone. Because the spouse is considered next of kin, this is the only
person they will deal with and it may be jeopardizing this man's health.
Is there anything my friend can do?
I suggest your friend immediately contact the privacy officer of this
facility. Your friend is a family member as the daughter of the patient
and therefore is acting as the patients advocate as well as the 80 year
old wife's advocate. Covered entities are certainly allowed to make
decisions concerning personal representatives as well as sharing health
care information in an emergency situation that is in the best interest of
the patient. From what I am understanding the patient had not excluded in
the past communication with the daughter and even if he had the current
situation with the wife asking for the daughter to step in would override
that request if the patient's health or the care is at risk.
(Posted 2/10/04)
Can a close friend call a doctor's office and request prescriptions
for medication for that friend? Would there need to be authorization for
that friend to receive those prescriptions?
The answer to your question is determined on an individual case. The
office will probably want to speak to the patient directly for this
request. However, if there are extenuating circumstances such as a chronic
debilitating illness the patient may state that in the future this
"friend" is permitted to assist with his/her care and act as his/her
advocate. The office may have an authorization policy for all individuals
and may certainly exercise that process. HIPAA's intent is not to impede
quality health care but to protect patient's health information. Therefore
if you approach situations with both of these goals in mind, you should be
able to institute policies and practices that accomplish both goals.
(Posted 2/10/04)
A representative from the Dept. of Health in my state told the local paper that they cannot divulge the number of flu deaths in each county, as that would be a HIPAA violation. "According to Health Department Spokesperson Ann Wright, the state is prohibited by HIPPA laws from revealing which counties have reported flu deaths. There have been 13 deaths statewide, with one younger than the age of 21. " (The Baxter Bulletin, Dec. 24, 2003).
I say it isn't a violation because you are not identifying patients
in any way, just a collective number. Why would it be OK to divulge the
statewide total and not county total? I think they just don't want to tell
the number and are using HIPAA as an excuse.
I believe your county health department is attempting to work within
the scope of HIPAA. The numbers of deaths statewide are very small (13).
Therefore, when you get down to the county, this number could possibly be
much smaller such as 1 or 2. HIPAA states in order to give out
deidentified PHI, the covered entity must determine that health
information is not individually identifiable. The regulation goes on to
list all identifiers which must be removed to accomplish that task. One of
the identifiers is all geographic subdivisions smaller than a State,
including street address, city, county, precinct, precinct, and zip code.
So you can see that although the number represents an aggregate number it
could possibly identify that person or persons.
(Posted 2/10/04)
I have been told that it is necessary to use a shredder that cross
cuts as opposed to one that just strip cuts paper. Is this true?
HIPAA is not that specific in the regulation. HIPAA simply ask that
you as a covered entity must reasonably safeguard protected health
information from any intentional or unintentional use or disclosure. Under
this standard, entities should minimize the risk of unintentional
disclosure by taking appropriate action for all PHI that is being
disposed. By shredding documents you are certainly taking an appropriate
action. If you feel that your shredding system is not reasonably
obliterating the PHI you may want to look into a better system. Most
shredders are designed to do just that (shred information) whether it is
by cross cuts or strip cuts. The bigger problem here is getting personnel
to shred these documents or scraps of paper that may contain PHI. This is
where you may want to focus the better part of your attention which is not
costly but a cultural change issue that needs repeated attention. (Posted
2/10/04)
We are contemplating digitizing our medical records. If we make
electronic copies of our records, are we required to keep a hard copy of
the record and are there any HIPAA ruling that preclude us from doing the
above?
One of the original intents of HIPAA is to move the health care
industry into the electronic age. Therefore digitizing your medical
records is not against HIPAA. HIPAA speaks to record retention for a
period of 6 years which includes maintaining documentation such as
policies and procedures and communication concerning records. Many states
have individual laws concerning the amount of years medical records must
be maintained and this is something you should look into for Texas. If
your records are entirely digitized, I see no need to maintain the paper
record unless a state law would supersede.
(Posted 2/10/04)
There seems to be some conflict in the hospital about the hospital
policy and the actual signed request of the patient concerning contacting
the patient for out patient services after discharge, specifically,
Diabetic Education. I would like to see a complete updated copy of the
HIPAA ACT. Hospitals at present do not send the signed HIPA papers with
the admission to the out patient services. Please advise about acquiring
the actual HIPAA Updated ACT and information about the protocol for the
Hospital to admit a patient to the out patient educational services
without including their HIPAA signed paper work.
For the complete HIPAA Privacy Regulation Standard, please click on
the following link
http://www.hhs.gov/ocr/hipaa/
I am not 100% sure what you are referencing when you speak of the "HIPAA"
papers. The Notice of Privacy Practices is the document which discusses
your organization's policies on how that specific organization shares
protected health information and this may be what you are referencing. The
document should be given to patients and a signed receipt acknowledging
that the document is received by the patient should be kept on file.
(Posted 2/10/04)
I am employed as an RN. My primary responsibility is Critical Care
Transport of patients that occur interfacility. Secondarily, we conduct
follow up reports on our patients. Is is a violation of HIPAA to request
patient information from a primary caregiver of that patient at another
facility? The majority of our patients are critically ill and unable to
speak or make their own judgements. I have been denied information
numerous times despite telling the caregiver that our phone calls are part
of a QA process.
Sharing information for treatment, payment, or health care operations
is not a violation of HIPAA. If you continue to experience this problem,
you should ask to be directed to the Privacy officer of that institution.
The institution may want assurance that this information is being cared
for in the same manner they would and may need you (your organization) to
sign a business associate contract.
(Posted 2/10/04)
I work for a private clinic that leaves the exam room doors open
while performing an exam. The exam does not require the patient to
disrobe. Does HIPAA require that the exam room doors be closed during an
exam?
While HIPAA is not that definitive in the regulation, it does state
that an identifier is the actual person constituting Individually
Identifiable Health Information. Therefore a simple process is to close
the exam door, thereby protecting PHI. Not only is the person visible when
the door is left open but spoken words are easily overheard and thereby
revealing PHI. HIIPAA asks that you make a reasonable attempt at
preserving all PHI and closing a door where patients are being examined is
certainly a reasonable approach which I suggest you start immediately.
(Posted 2/10/04)
We have an employee who took a second (moonlighting) job, which is
permitted by our rules. We contacted the other employer to confirm that
the employee’s scheduled hours did not overlap with our scheduled hours,
and to see if he was eligible for health care benefits at his new
employer. We were told that they could not reveal if he was receiving
health care benefits because of HIPAA? Is this correct?
You have not identified the type of entity to first determine if they
are bound by HIPAA. Although, even without that information, it is clear
that the records you are referring to are employee records and they do not
fall under the guidelines of HIPAA.
(Posted 2/10/04)
Are there any HIPAA restrictions concerning Church ministers
visiting hospital patients? If there are, what are they? I am a church
laymen and I'd like to visit hospital patients to help lighten the load
for the church staff but the staff is reluctant to allow it for fear of
HIPAA restrictions.
The HIPAA Privacy Rule allows this type of communication to occur, as
long as the patient has been informed of this use and disclosure, and does
not object. Providing this information in the Notice of Privacy Practices
is a very good way of informing patients of this type of disclosure. The
Privacy Rule provides that a hospital or other covered health care
provider may maintain in a directory the following information about that
individual: the individual’s name; location in the facility; health
condition expressed in general terms; and religious affiliation. The
facility may disclose this directory information to members of the clergy.
Directory information, except for religious affiliation, may be disclosed
only to other persons who ask for the individual by name. When, due to
emergency circumstances or incapacity, the patient has not been provided
an opportunity to agree or object to being included in the facility’s
directory, these disclosures may still occur, if such disclosure is
consistent with any known prior expressed preference of the individual and
the disclosure is in the individual’s best interest as determined in the
professional judgment of the provider.
(Posted 2/10/04)
I work for a Hospital in Iowa as an RN. My personal information
address was obtained by another staff member, either by the hospital
giving it out through Human Resources or obtained from our computer system
when I was a patient. Can HR give out my person info to another employee?
Is it illegal for the employee to obtain the info. from my recent
hospitalization?
This is certainly one of those areas where employees feel they are
doing nothing wrong by accessing information which they can readily obtain
but do not have the right to such information as this is not part of
performing their duties as a health care worker. Many times employees feel
that they are not in violation of the patient's privacy as they already
have access to this information. However, the access is limited to
performing their job and I am sure you will agree this is outside of that
scope. You should report this breach to your privacy officer so education
on this matter is added to the HIPAA Privacy training in your
organization. The Privacy Officer should further discuss this breach with
that employee.
(Posted 2/10/04)
What I would need to do if I knew of an office that was not HIPAA
regulated yet. The office that I used to work at is not. Insurance
claims are not even getting paid because the practice is not in the rules
and regulated yet! Do you know who I can contact to let someone know this
important information? They are not even keeping patient information
private!
Here is a link that will take you to the OCR (Office of Civil Rights) Fact
Sheet with all the instructions on how to file a HIPAA complaint. The OCR
receives and investigates all HIPAA Privacy complaints. But in order to be
heard you must follow the guidelines noted in this fact sheet.
http://www.hhs.gov/ocr/privacyhowtofile.htm
(Posted 2/10/04)
I am a registered nurse in an emergency department. It seems that
with all the new HIPAA regulations everyone is afraid to discuss anything
with anyone. I think it is being blown out of proportion and I don't think
that is the intention of the HIPAA regulations. My specific question is
this: If social services is called in to investigate a situation where a
child was involved in an automobile accident where the mother (the driver)
was very much under the influence, can we share information with social
service to assist them with their investigation. Can we reveal such things
as drug testing and other information related to the mother's condition at
the time of the accident in order to protect the child? Also, can
information be shared with police?
I am in full agreement with you concerning the misinformation that
surrounds HIPAA. HIPAA's intent is not to hamper health care operations
but instead to protect and secure individually identifiable health
information for all patients. If you read the following notation, you will
agree that you are within the guidelines of HIPAA when reporting the
incidence noted in your question. Covered entities may disclose protected
health information that they believe is necessary to prevent or lessen a
serious and imminent threat to a person or the public, when such
disclosure is made to someone they believe can prevent or lessen the
threat (including the target of the threat). Covered entities may also
disclose to law enforcement if the information is needed to identify or
apprehend an escapee or violent criminal. 45 C.F.R. § 164.512(j).
(Posted 12/2/03)
We offer an "Ask the Dr." feature on our website. I was going over
some information about the requirements of getting an acknowledgement of
receipt of the notice of privacy practices. I read that the rule requires
that we send the notice to the patient if their first request for service
is electronic and attempt to get this acknowledgement. Does this apply to
the "Ask the Dr." feature on our website when our Dr. replies to the
potential patient? And if this a requirement do you have any suggestion as
to how we are to track these if the patient hasn't actually "become a
patient" in our office?
According to the Department of Health and Human Services the following
guideline must be used with regards to electronic service which I suggest
you put into place for your Dr. Feature on your website. For service
provided electronically, the notice must be sent electronically
automatically and contemporaneously in response to the individual’s first
request for service. In this situation, an electronic return receipt or
other return transmission from the individual is considered a valid
written acknowledgment of the notice. (Posted 12/2/03)
My nephew is in the hospital and his father brought a friend down
there with him to visit and we were wondering if this is HIPAA violation.
My sister asked the nurse if she could stop this person from being in the
room and the nurse said that as long as they were invited to come down
they had the right to be there. I am very concerned with this because no
one knows this person and I am afraid that the wrong person might find out
about my nephew and his condition. Is this a HIPAA violation that the
hospital let someone in the room that is not a family member or friend of
the families hear about my nephew's condition?
Your nephew has the right to limit visitors specifically and/or has
the right to have his information concerning his, name, room number,
condition, etc. removed from the hospital patient directory. If this is
indeed his wish, he should let the staff know of his concerns and have
proper process put into place to enable this right. The hospital must
abide by these restrictions once requested and if after those restrictions
are in place the violation continues, a HIPAA violation is taking place
and a complaint may be filed. (Posted 12/2/03)
Are medical transcription services that use typists from overseas
actually HIPAA compliant?
Medical transcription services outside of the United States do not
need to comply with HIPAA regulations. Therefore, you should exercise
caution when outsourcing this service. I am including a current event item
which brings this issue to light. Please note the following:
October 27, 2003
A California state senator will introduce a bill prohibiting state
hospitals from allowing medical data to leave the country, San Francisco
Chronicle (http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/10/26/BUGIN2J2A01.DTL
) columnist David Lazarus reports. The move follows a threat by a
woman in Pakistan doing subcontracted transcription work for the
University of California-San Francisco Medical Center to post patients’ medical records
on the Internet unless she was paid more money.
Under the bill, state hospitals would likely be prevented from outsourcing transcription work unless they could verify that all related files stay in the country, which would make hospitals responsible for any subcontracting issues. Sen. Liz Figueroa (D-Fremont) will introduce the bill in January when the state Senate returns for its regular session, the Chronicle reports. Figueroa expects the health care industry to fight the legislation, but she said that because of the public’s increased concern about privacy issues, the bill will eventually pass (Lazarus, San Francisco Chronicle, 10/26).
In the UCSF incident, the Pakistani transcriber, Lubna Baloch, on Oct. 7 sent an e-mail to UCSF threatening to post all the voice files and patient records from the UCSF Parnassus and Mt. Zion campuses on the Internet unless she received money that a subcontractor allegedly owed her. Baloch attached to the e-mail actual files with dictation from UCSF physicians. After she received a portion of the $500 that she said she was owed, Baloch on Oct. 8 sent UCSF an e-mail withdrawing her threats (iHealthBeat 10/23).
This is the first time an overseas transcriber has used confidential medical records against a U.S. hospital, the Chronicle reports (San Francisco Chronicle, 10/26). (Posted 11/14/03)
I work in a pharmacy and we need to get refill authorization for
people's medications. The computer was programmed with the wrong
information as to where the doctor was located at. (She practiced mental
health at this facility and then moved to another clinic). Well we faxed a
refill request on the proper form to the phone number in the computer and
it came back to us saying she did not practice at that facility anymore.
Was that a violation of HIPAA policies? The pharmacist says it is, well
another pharmacist says it wasn't.
To answer your question, you should first look at the policies and
procedures of your organization. If your policy stipulates that you must
verify that the correct fax information is programmed prior to faxing,
then you may be in violation of your organization's HIPAA policy. HIPAA
does not offer specificity on this subject but a reasonable approach to
protecting privacy and security of PHI is your responsibility.
(Posted 11/14/03)
Can my health care provider fax information to an insurance company
(or any other company as far as that goes) without my knowing it or
authorizing it ?
Health care providers must present you with a Notice of Privacy Practices.
In this notice, the provider will state who they provide information to.
Health plans will be noted as a group that they supply protected health
information to for provision of payment. Health care providers may share
information with other health care providers for treatment, health plans
for payment, and other specific entities in regards to health care
operations. You can request an accounting of disclosures from your health
care provider for all those disclosures that must be accounted to the
individual upon request. And also there are certain cases where sharing of
your information will require your authorization. I suggest you review
your provider's Notice of Privacy Practices and then discuss all of these
concerns with the provider's privacy officer which will be noted in the
notice.
(Posted 11/14/03)
We are a family practice referring a worker's compensation patient
to an ortho. When the nurse called the physician's office to make the
referral appointment the nurse was told due to HIPAA our office could not
make the appointment and the employer would have to. Under HIPAA it is our
understanding we can use the patient's info for treatment and of course,
the referral is for treatment. What documentation could we share with this
office to show them a referral from one doctor to another, even for
workers compensation, is covered?
It is unbelievable at times the amount of misinformation which is out
there concerning the HIPAA Privacy Rule. And unfortunately covered
entities that must be compliant are among the largest group that entertain
this misinformation. You are of course correct in your comments concerning
sharing information with other treatment providers. The best document is
the actual regulation which can be found at
http://www.hhs.gov/ocr/combinedregtext.pdf. The first section you will
want to refer the orthopedic office to is section 164.502(a)(1)(ii). You
can also refer them to section 164.506. There are certainly many other
references on the internet but I encourage individuals to go directly to
the source for the actual facts and therefore it is advisable that covered
entities download the document and keep for reference.
(Posted 10/28/03)
Must a covered entity get an authorization to release PHI of its
employee for FMLA?
If a covered entity is also an employer, the covered entity may use
the employee health records (those maintained in the human resource
department) for operations such as the FMLA. The employer may not request
the employee's actual medical records without proper authorization from
the employee. Simply because the employer happens to be a covered entity,
this does not afford him/her the right to gain access to health records
maintained by a covered entity without written authorization of the
individual. Although health records which are part of the employee file
can be used for operations such as mentioned in your email.
(Posted 10/28/03)
The Privacy Rule requires Business Associate agreements to include
certain things - 164.504(e)(2)(ii)(E),(F) & (G) requires the agreement to
state that the Business Associate will make PHI available for patient
access, amendment and for an accounting of disclosures. For the agreement
with our document destruction service, should those items be left out of
the agreement, or should they be included as required, even though they do
not apply for the service they perform?
Clearly you can delete those references since there are no documents
available for access, amendment or disclosing as they are no longer in
existence. (Posted 10/28/03)
My question is concerning chart security. We are Oral-Facial
Surgeons and have three locations. The patient charts in all three
locations are not accessible to the patients or the general public. Both
the office buildings and the offices are locked at night and off-hours,
but the charts are not locked in a separate room or area within the
offices. Our question is- how ‘secure’ must these patient charts be? Must
they be under lock and key in individual cabinets or simply secure within
our offices?
The HIPAA Privacy Regulations in this area are not specific regarding
the infrastructure of your facility. In section 164.530(c)(1)&(2), the
requirements state that you must reasonably safeguard PHI from any
intentional and unintentional use or disclosure through the use of
appropriate administrative, technical, and physical safeguards. Therefore
you will want to do the best job possible with your resources. You may
want to ask yourself, if your personal record is placed in any of the
areas where records are stored in the three facilities you mentioned,
would you feel secure that it was protected. If you are in doubt of any of
those areas, you should firm up that process for protection and security
of PHI. Also you may want to ask yourself if your current practice makes
good business sense and are you 100% sure where you can locate a record at
any given time. It is important to make every attempt to secure and
protect PHI. (Posted 10/28/03)
I work in the insurance industry and deal directly with bodily
injury/liability claims. In order to obtain medical records we obtain
written permission from our claimants to request medical records from the
providers they list on the form. While we have tailored or Medical
Authorization form to meet HIPAA guidelines, we frequently find that
specific medical institutions reject our form because it doesn't meet
guidelines they have instituted beyond HIPAA's compliance guidelines.
Would you please provide a run down of what a basic Request for Medical
Information Authorization form should contain, also, in your opinion does
a provider have a right to reject our authorization form because it lacks
details they deem necessary but are not HIPAA compliant?
Noted below are the minimum requirements covered entities will be
looking for in an authorization form:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
- The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
- A description of each purpose of the requested use or disclosure
- An expiration date or expiration of event (i.e. end of trial)
- Signature of individual and date If the release of information is requested as a court order or in a dispute you must follow those specific guidelines.
You can find the actual privacy regulation and download from the following link http://www.hhs.gov/ocr/combinedregtext.pdf . Refer to section 164.512(e). And finally to answer your question concerning the right to reject your authorization form due to lack of HIPAA compliance, I would agree that they do have this right. Before they release information they must be secure that they are following HIPAA guidelines and in many cases must account for disclosures and also need this information. (Posted 10/28/03)
How do I make a subpoena requesting medical records for a legal
proceeding HIPAA compliant? Each hospital seems to have their own rules.
Noted below are the minimum requirements covered entities will be
looking for in an authorization form:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
- The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
- A description of each purpose of the requested use or disclosure
- An expiration date or expiration of event (i.e. end of trial)
- Signature of individual and date
If the release of information is requested as a court order or in a dispute you must follow those specific guidelines in addition to the above minimum requirements. You can find the actual privacy regulation and download from the following link http://www.hhs.gov/ocr/combinedregtext.pdf. Refer to section 164.512(e). (Posted 10/28/03)
I am a new practice manager for a plastic surgery office. We have a
statement which patients read but currently do not sign. Is it mandatory
(or recommended) that each patient sign this form indicating our
notification and compliance with the new HIPPA law?
The HIPAA Privacy Rule requires a covered health care provider with
direct treatment relationships with individuals such as your plastic
surgery office to give the Notice of Privacy Practices (NPP) to every
individual no later than the date of first service delivery to the
individual and to make a good faith effort to obtain the individual’s
written acknowledgment of receipt of the notice. If the provider maintains
an office or other physical site where she provides health care directly
to individuals, the provider must also post the notice in the facility in
a clear and prominent location where individuals are likely to see it, as
well as make the notice available to those who ask for a copy. It is
simply not enough to provide a statement concerning compliance with the
HIPAA Privacy Rule. You must produce the NPP which clearly states items
from the regulation as well as your individual practices concerning use
and disclosure of protected health information along with detailing the
patient's rights. Please reference the HIPAA Privacy Rule for the
requirements of this document. You can download a copy of the Regulation
at the following website:
http://www.hhs.gov/ocr/combinedregtext.pdf. (Posted
10/28/03)
We are a mid-size office and we currently charge patients $25.00 for
their medical records. We have been told that per HIPAA, offices are not
allowed to charge for medical records. Is this true? I have not been able
to find anything specific on the subject.
In response to your question, I am referring you to section 164.524 of
the HIPAA Privacy Regulation. The regulation states that if an individual
requests a copy of PHI or agrees to a summary or explanation of such
information, the covered entity may impose a “reasonable”, cost-based fee.
The fee must include only the cost of:
- Copying (including the cost of supplies for and the labor of copying)
- Postage (when the individual is requesting the PHI to be mailed)
- Preparing the explanation or summary of the PHI (when the individual is requesting this service)
Therefore, you should assess if the $25.00 fee is reasonable and only covers the cost permitted by the regulation. (Posted 10/15/03)
Is there such a thing as "HIPPA compliant shredders"? The rumor
around here is that we must have shredders that "cross-cut" in order to be
HIPPA compliant.
One of the unfortunate byproducts of HIPAA is the misinformation that
accompanies this important piece of legislation. I have been doing HIPAA
Assessments and Gap Analysis for a couple of years now. I have trained
many organizations from small to large, health care providers to health
plans and now am assisting organizations with the audit process for their
compliance efforts and I must admit I’m still amazed at the misinformation
which surfaces. No where in the regulations is there direction that speaks
to a “HIPAA Compliant Shredder”.
When you think of disposing documents, papers, notes, etc. that contain protected health information (PHI), you must remember that this information is in your care and therefore you should take precautions to dispose of it so that the PHI is protected. If your current shredder allows PHI to be visible you may want to revisit the shredder issue but bear in mind the regulation does not endorse any shredding companies or process. Keeping your goal in mind should certainly guide your policy. (Posted 10/15/03)
Does HIPAA change the right of a defendant to subpoena the patient's
medical records with notice but without authorization when the patient
institutes civil litigation claiming total disability??
HIPAA does not change this right. You are correct in noting that
reasonable efforts have first been made by such party (requestor) to
ensure that the individual who is the subject of the PHI, that has been
requested, has been given notice of the request. This notice must be in
written documentation and must include sufficient information about the
litigation or proceeding in which the PHI is requested to permit the
individual to raise an objection to the court or administrative tribunal.
If the time for the individual to raise objections to the court or
administrative tribunal and no objections were filed or all objections
filed by the individual have been resolved by the court or administrative
tribunal, the release of PHI may be honored. This PHI will be released
with a qualified protective order stating that the PHI will only be used
for the intended purposes and requires the return of the PHI to the
covered entity or destruction (including all copies made) at the end of
the litigation or proceeding. (Posted 10/15/03)
I have a question about patient privacy concerns. Last week I
visited my physician’s office to see if previous health records from a
former doctor had been received and placed into my current medical chart.
The clerks at the office looked through my file and said some records had
been received. When I asked to see the copies in my chart, to determine if
they were the right information, I was told that I was not allowed to look
at my chart! I was not allowed to look at ANY of my chart, even though I
was standing right there! When questioned, the staff informed me that this
was a rule of the new HIPPA regulations, and that I was not allowed to
look at my chart. I found this to be unbelievable and felt that they were
perhaps interpreting the HIPPA regulations incorrectly. Can you please
explain this to me?
It seems to me that there may be a communication problem between you and
the physician's office. One of the very explicit patient rights outlined
by HIPAA in the Privacy Rule is for access of individuals to protected
health information (PHI). According to this rule, individuals have a right
of access to inspect and obtain a copy of PHI about the individual. The
institution may require individuals to make requests for access in writing
and could possibly deny this access if it meets the issues stated in the
Privacy Rule. There are other more specific clauses noted in the rule but
for the most part you do have the right to access your PHI. This right
should also be noted in the Notice of Privacy Practices for that
organization and you should have been given this notice. If you have not,
please request a copy from your physician's office. You also have a right
to file a complaint to the Office of Civil Rights. You can file this
complaint electronically -
OCRComplaint@hhs.gov. You can also mail a complaint and that address
differs according to your region. This information should be contained in
your physician office's Notice of Privacy Practices or contact the above
email for that information. (Posted 10/15/03)
I am trying to find a form for a psych authorization form. do you
know where I can find that?
There is no HIPAA approved psychiatric authorization form. The
authorization form must be made specific to each situation. HIPAA does
state the core elements and requirements of the form which are all
detailed in section 164.508(c) of the Privacy Regulations. (Posted
10/15/03)
I work in small private non-profit alcohol/drug treatment agency. My
agency works with the local drug court and performs two separate functions
for the drug court. We provide case management and the year long drug
court treatment. Each client has a case manager and a treatment counselor.
To make record keeping more efficient we have elected to have a case
management file that the case manager is responsible for and a treatment
file that the treatment counselor is responsible for. When the client has
completed the drug court program the files will be combined for long term
storage. Is it compliant to have two files on one client within the same
agency?
Yes, there may be two files. The point is that you must know that
these files exist and where all the protected health information (PHI) in
your care is maintained. All of this PHI is your responsibility. Also you
must understand that if a patient elects to amend a file and this request
is granted all files must be modified. Both records should be treated as
one. (Posted 10/15/03)
We are a New York PT provider treating a patient injured and treated
in Florida. We wish to get copies of the MRI and other records from the
Florida health care providers. The Florida provider requests an
authorization. Do we need an authorization? This is W/C. She has signed
our consent form allowing use and disclosure for treatment, operations and
payment.
This is a very interesting question. In order to supply you with all
of the information you will need on this topic, I am referring you to the
following link:
http://www.hhs.gov/ocr/hipaa/guidelines/workerscompensation.pdf.
This link provides an answer by the Office of Civil Rights which is the
agency in charge of investigating privacy breaches. This document will
supply you with all the necessary information which you may pass on to the
covered entities when requesting disclosure of PHI related to Worker's
Compensation claims. (Posted 10/15/03)
I was wondering if all patient files must be locked up after hours.
If so, what part of the HIPAA requires it?
You will not find a specific notation in the HIPAA Privacy Regulations
that state the need to lock up records after hours. However the
regulations do state that a covered entity must have in place appropriate
administrative, technical, and physical safeguards to protect the privacy
of protected health information (PHI). The regulations go on to describe
implementation specification safeguards;
(i) A covered entity must reasonably safeguard PHI from any intentional
or unintentional use or disclosure that is in violation of the standards,
implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard PHI to limit incidental
uses or disclosures made pursuant to an otherwise permitted or required
use or disclosure.
This information can be found in section 164.530(c)(1)- (2)
Locking up files at the end of the day seems to be a reasonable measure for protection of PHI and therefore it is advisable to pursue this process. (Posted 10/15/03)
I am a hearing officer for a state Unemployment Appeals Agency
adjudicating cases under our states Unemployment Compensation Law. Under
HIPAA ,are employers, which have medical information about a former
employee, prevented from presenting this information in an appeals hearing
regarding that employees reason for separation, without the former
employers permission?
The information provided in this question is very limited but I will
attempt to answer with that in mind. First of all HIPAA regulations apply
for covered entities only. A business associate of a covered entity is
tied to that covered entity if a business associate contract is involved
but the business associate is not held liable under the HIPAA regulations.
So the first question is whether or not the employer is considered a
covered entity.
HIPAA requires "covered entities" to protect certain categories of information that qualify as "protected health information" under its provisions. The HIPAA regulations state that individually identifiable health information in employment records held by a covered entity in its role as an employer is not "protected health information." (45 C.F.R. §164.501). The HHS explains it this way:
Medical information needed for an employer to carry out its obligations under the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and similar laws, as well as the files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer. 67 Fed. Reg. 53, 192 (Aug. 14, 2002).
This type of medical information is a necessary part of the employer's official function, and the law permits employers to collect and maintain it. It is not HIPAA-protected, BUT is still subject to state laws on privacy! It should be treated as confidential information.
A follow-up question: If the employer is a hospital and contracts
with an organization to provide employee assistance programs for their
employees, including treatment for substance abuse, are the records of
collection, chain of custody, and methodology of testing of urine, blood,
and hair samples, and the test results protected health information that
the employer would be liable under the act if given as evidence in an
appeals hearing with out the former employees permission?
According to the information, I am assuming that all of the health
information you are referencing is part of the employment records
maintained by the covered entity in its role as an employer and therefore
is not considered PHI. Now if this information is gained by accessing the
employee's medical record found in the hospital, the testing of urine,
blood, and hair samples, and the test results are considered PHI and can
not be disclosed. But I am guessing that this information has been
maintained by the HR Department in conjunction with an agreed upon drug
screen program and therefore is not considered PHI. (Posted
10/15/03)
We have a dental practice that treats families. Our question is when a parent brings in a child that is a new patient and signs an Notice of Privacy Practices form on behalf of their child and then comes in a few days later with another one of their children who is also a new patient-does the parent need to sign a separate NPP form for that child as well or can the first form that they signed be designated for all of their children ?? You can certainly provide one copy of the NPP for each family and ask that they sign receipt and apply to all of their children so that you may enter this in your database or place copies in each of the charts. If this is the form you are referring to, the idea is that the individual and in this case that is the parent understands your policies in regards to use and disclosure of protected health information as well as their rights in regards to this information. Therefore one NPP receipt applied to all of the children's records should be sufficient but make sure the parent understands that you will be including this in each of those records. (Posted 10/15/03)
We are a long term care facility and we have held open meetings for
the families of patients where names of our residents may be used by
family members. Are we or would we be out of compliance in an open forum
like this? What would you recommend to solve this question?
The intent of the HIPAA regulation is not to hamper patient treatment
or those related activities. It sounds like family night is important for
the patients as well as their families. My suggestion is that this
practice along with other practices similar to this be included in your
notice of privacy practices (NPP). This way patients and their families
will be aware of the process as well as the limited amount of PHI that may
be shared during these meetings. You should also take every step possible
to limit the information shared during this program. (Posted
10/15/03)
We are a pediatrics clinic and we occasionally have "coloring
contests" and display the pictures on our hallway bulletin board with the
child's name and age displayed. Also, we occasionally display halloween
"pumpkins" with the child's name signifying contribution to March of
Dimes, etc. Is this considered disclosure of PHI - do we need the parent's
authorization - or should we cease these activities?
The intent of HIPAA is not to hamper activities of providers but to
protect PHI. The coloring contests and bulletin boards probably help your
little patients feel more comfortable and secure and therefore should not
be dismissed. One of the original guiding principles of the HIPAA
regulation is to provide privacy and security for PHI so that patients are
comfortable with sharing this information to healthcare providers and
therefore communicating in a way that will best serve their treatment,
etc. With regards to the pictures, you should be aware that some patient's
families may not want this information (full names) to be public for
reasons they may have. You should adopt a few new practices in regards to
this issue: Use first names only on the artwork Discuss the artwork in a
brief statement in your Notice of Privacy Practices as a practice of your
office Provide the opportunity to your patients (PARENTS) to opt out of
this process if they object to the first name of their child appearing in
public I doubt that you will have many issues with this practice but it is
always better to inform individuals up front and provide a process for
opting out if they so desire. (Posted 10/15/03)
My mother in law recently received a letter from her attorney in which he specifically cites the new HIPAA laws and how they affect the release of information to family members. In his letter, he points out that "Many of you have already signed HIPAA release forms at your doctor's office, pharmacy, or hospital. These releases are for your Health Insurance Company and Medicare and authorize the release of information to them. They do not release information to your family or agents."
He has offered to provide a form at a cost of $125 for the initial authorization (e.g. family member 1) and $50 for each member after that.
My question is this: Can this be done with her provider? Would it be
acceptable under the HIPAA regulations to sign an authorization with her
physician and hospital to release medical information to selected family
members? Is it necessary to work through an attorney to accomplish this?
I have reread this email several times as I am not believing what I am
seeing. There are many items of misinformation in this email. I am
assuming from this email that these are the facts as you see them and
therefore I am responding to those items. I caution you that this may
constitute a situation purely on miscommunication between the attorney's
office and your mother-in-law and you should first gain clarification of
this letter. I would like to simply provide you with some clarification on
the items of HIPAA which you are addressing.
- HIPAA does not in the final rule require a release form for treatment, payment, or health care operations
- HIPAA does require organizations such as the " doctor's office, pharmacy, or hospital" referenced in your letter to provide the Notice of Privacy Practices (NPP) of individual organizations to their patients and with that these organizations must make a good faith effort to obtain a written acknowledgment of receipt of the NPP. This is probably the document the law firm is discussing in reference to a "HIPAA document"
- You may also be asked to sign a release for your Health Insurance Company and Medicare but this is not a HIPAA mandate and is not necessary under the HIPAA guidelines
- The NPP of each organization will define how they use and disclose your PHI and in many cases will note that personal representatives such as family members may be included. You as a patient have the right to include or exclude any individuals in this release of information and you should follow the process of that individual organization
- It is not necessary to work through an attorney for this process unless the individual (patient) does not want to include the family and there are extenuating circumstances such as legal implications or guardianship that must be addressed (Posted 10/15/03)
I have an associate who believes that his mother may have
Alzheimer's disease. However, this associate's mother requested that her
doctors not give out any information to anyone concerning her condition,
including her family. He is extremely worried about her. What does he need
to do to find out what his mother's condition is?
Patients do have a right to request that their information be
restricted from certain individuals. With that said, it is also important
to note that HIPAA is informing providers such as a physician that if they
feel this is not in the best interest of that patient, they are free to
supercede this restrictions in an emergency situation. I am sure neither
you nor I have all the facts in this case and therefore, I suggest your
associate contact the physician office and request a family meeting to
discuss what is in the best interest for the patient. If the physician
feels it is important to follow his patient's restrictions and the
associate feels otherwise, this will then need to be taken up with an
attorney. Communication is certainly the key here. (Posted
10/15/03)
We are a residential substance abuse treatment facility located in
Vermont. Often, our clients/residents come to us either from a
correctional facility or at the recommendation of a probation officer. My
questions regarding patient privacy are:
1. before the client enters treatment we may receive a faxed signed
consent for release of information form between our organization and the
probation officer. The person enters our facility and then notifies our
staff that s/he wishes to revoke the consent. Can we revoke a consent that
we did not sign, but were the recipient of? Can we then tell the P.O. that
the consent has been revoked?
2. we use a separate consent form for each 'part' of the department of
corrections and their affiliates: the court, public defender's office,
probation officer, facility case worker, etc. We are aware of a large
organization that uses one consent form for all the above. This would be a
great time and paper saver, but we are not certain that this is allowed
under HIPAA.
From reading your email I am not 100% sure of your status in regards
to a HIPAA covered entity. Therefore, I submit this test for you to apply
first regarding your status: Here is a simple test to see if a person,
business, or agency is a covered health care provider.
- Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
- If the answer is yes, does the person, business, or agency conduct covered transactions?
- If yes, are any of the covered transactions transmitted in electronic form?
- If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations
In regards to the consent/authorization which is signed with the correctional institute, you should definitely notify that agency/ P.O. or whomever is the designate regarding revoking that consent as this was the originator of the consent.
I believe you are referencing an authorization form in your second question and yes you may use a single form but must stipulate the intended use, recipient of the information, dates, etc. as noted in the guidelines. There are some exceptions concerning multiple use noted in the regulations. The form could have fill in the blank information and also note all departments but the actual agency or department must be addressed by some method. (Posted 10/15/03)
On page 9 of your Privacy FAQs you stated that “The acknowledgement
of receipt of the NPP needs to be obtained once unless the NPP has been
changed.” It also states “The new NPP must then be distributed
immediately.” In training, I was told that only if we make material
changes to the NPP do we need to distribute it and that as long as the
most current NPP is on our website we do not need to re-distribute.
Also that we do not need to get another signed acknowledgement. Please
advise.
This is one of those confusing topics in the HIPAA Privacy Rule. The
NPP must first of all contain a statement that it reserves the right to
change the terms of its notice and to make the new notice provisions
effective for all protected health information that it maintains. The
statement must also describe how it will provide individuals with a
revised notice [164.520(b)(1)(v)(C)] Therefore, you do have a little say
in this area but remember you must disclose this in your NPP. Therefore
you may elect to post the revised notice and have available new copies of
this notice with a notification as they enter your system that a change is
in place.
Furthermore, the covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. [164.520(b)(3)]
And as a covered health care provider that has a direct treatment relationship with an individual, you must whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section. [164.520(c)(2)(iv)] This applies to posting the notice, revising the website posting, and having a copy of the notice available upon request.
In regards to the signed acknowledgement the regulation does not note specifically that you must get a new signature. However, it makes good business sense that when you make a material change and you are providing this information to an individual, you would document that the individual has received this new document or has knowledge of the changes. An acknowledgement signature would surely provide this proof. (Posted 10/15/03)
I work in a busy hospital ambulatory procedure department. Our
waiting room is directly across from the nurse's station, and discussions
about patient care can be overheard in the waiting room quite easily, even
when voices are kept low. Because facilities are not required to make
structural changes, other than cautioning the staff and doctors, does
anything else need to be done?
I can certainly understand your dilemma concerning architectural
changes but you can reasonably separate this area by using glass or
Plexiglas partitions creating a sound barrier. This falls under a
reasonable change in order to protect PHI and will be well worth that
small investment. You can also create a sound diversion with the use of
televisions or music in the waiting room. This creates noise in that area
which keeps conversations from being easily overheard. You may also
position the chairs in the waiting area as far away from the nurse's
station as possible and turn them so that their back is to your area as
well as turning your chairs and conversation away from the waiting room.
By using head sets for telephones, you can speak in a lower tone and be
easily heard by the caller on the phone but not by those in the waiting
area. And always remember to keep the information about patients and
identifiers to a minimum if at all. (Posted 10/15/03)
How can I find out more information on requirements for patient
record retention. Is it true that records must be kept for the life of the
patient??
To answer this question, you must look to the different standards
available to health organizations.
HIPAA speaks of a 6 year retention for Privacy policies and procedures, accounting of disclosures, etc. The actual medical record retention is governed by federal health record requirements outlining record retention. Each state also has its own separate retention standards and regulations. And accreditation agencies may also have their own retention standards requirements.
You can also look to the American Health Information Management Association (AHIMA) for guidance on this topic. (Posted 9/8/03)
I would like a definition for "individually identifiable
information".
Individually Identifiable Health Information (IIHI) is information
that is a subset of health information, including demographic information
collected from an individual.
This is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. In other words it is the information that can actually link a patient to health information.
IIHI can actually identify an individual or provide a reasonable basis for identifying the individual.
The list of identifiers can be found in section 164.514 of the Standard. (Posted 9/8/03)
Is there is a limit to how much can be charged per page or per hour
to prepare a patients request for health information?
The regulations do not stipulate a dollar amount for preparing a patient's
request for information. Although it is noted in the regulations what can
be included in these fees and that this fee must be reasonable. Therefore,
with that in mind you should be prepared to defend the fee which you
charge in reference to reasonable. (Posted 7/10/03)
I work for a small company that has business associate agreements
with the physicians and facilities, we offer new technology in the
marketplace, we are running into a problem in getting the insurance
companies to verify patient eligibility and benefits, even though we have
signed contracts in place. We do all the billing and negotiation of the
claim prior as usually we are billing for an unlisted CPT code that
currently has no designation. What do I do to overcome the challenges of
getting benefits from the insurance companies?
This is a difficult question to answer without more information such
as what your Business Associate Agreement actually states. However, I
suggest you develop a list of all information that is absolutely necessary
to perform your job regarding obtaining benefits information. HIPAA states
that you must pay attention to the minimum necessary information needed to
perform this task. Once you have developed this list work with the
providers to attain only that information. This will show your Business
Associates that you are well aware of the HIPAA guidelines but need
certain designated information to perform the task necessary for health
care operations. (Posted 7/10/03)
Where should the charts be kept when the patient is to be seen
and is in the exam room? Should they be in the room, outside on the door,
outside the door on the wall? Or somewhere else?
I’m assuming that you are speaking of the individual’s specific chart and
if so there are no direct HIPAA regulations regarding this practice. You
should follow the practice of your office, which you believe is the
safest. If you do put charts outside on the door or on the wall, be sure
to have the name concealed if at all possible by turning the chart inward
with the name to the wall or door. You may also use a deep sleeve that
will conceal the name from the public or other patients who may be in the
hallway. A good rule of thumb to follow is to imagine your name on that
chart or other item and protect it, as you would wish your information
protected. (Posted 7/10/03)
I am looking to get an answer for the following concern of ours: Do
we have to take off resident's name from the doors, how about the working
folders on the unit?
HIPAA does not specifically stipulate answers to your questions but
places reasonable options in your hands. If there is a secure way in which
to handle these issues and thereby provide privacy for the patients, you
should take those reasonable steps. You should also document your actions
by placing this information in a policy and procedure and in some cases
the Notice of Privacy Practices. My suggestion to you is that you take a
look at all of the protected health information (PHI) which is in the
public's view and place your name on that information. Would you want your
PHI protected in a different manner? Is there someone or some institutions
that you would not want to see this information? Remember, your
organization must comply with HIPAA to the best of its ability and
document these efforts. (Posted 6/19/03)
What are the limits specified in the act for release of medical
information to family members who are inquiring about a hospitalized
individual? Is there a difference if there is a medical power of attorney
form on file?
The act essentially puts the onus upon the patient and
the provider to release information to family and friends involved in the
care of the patient.
What many providers are doing involve getting a listing from the patient during registration of who a designated contact person or two will be. If this is done verbally, it is documented at the time of instruction. The notation is then consulted whenever inquiries are made of the provider for information on the patient.
It is understandable that this is causing a lot of agitation for family members. However, providers have taken it upon themselves as a precaution to avoid disclosure to the "wrong person". (Posted 6/19/03)
As a health care provider, what do we do if a patient refuses to
sign any HIPAA forms of consent or authorization? Can we still treat the
patient and what are our boundaries?
In general, treatment cannot be conditioned upon the patient signing
an authorization. In the Privacy Guidance issued by OCR on December 3,
2002, clarifications were made on the difference between authorization and
consents.
HIPAA is concerned with the disclosure of protected health information, thus such information may not be disclosed without the authorization of the patient. If the patient refuses to sign this authorization, in most cases, treatment cannot be withheld.
The consent provision was taken out of HIPAA. The consent for treatment is voluntary under HIPAA privacy guidelines. According to the Guidance, “covered entities that institute consents for treatment have complete discretion to design a process that suits their needs”. You could withhold treatment without the signed consent for treatment if you so choose. It is important to document in all cases when this occurs in case of any disputes that may result. (Posted 6/19/03)
Are old records that have been copied and sent from other providers
considered a part of our medical record? When complying with a request for
records, are we allowed to also copy those other records or not? It would
seem that once we receive them and they are a part of our chart, then they
become "our" records and should be included when records are requested.
There is a great deal of confusion regarding this issue.
Your question is another in an ongoing debate in the industry. There
are those that will not release this information, claiming that
information received from a third party does not fall into the "Designated
Record Set" for release of information as described by HIPAA. Still, there
are those who believe that once the record is incorporated into a
patient's record, it's fair game.
It actually goes to the state level in some cases to be decided. I am not familiar with your state's laws and I would check the pre-emption language (state more stringent than HIPAA) regarding this. Absent that, I would contact legal counsel for an opinion. We cannot and will not offer legal opinions.
I can tell you, however, that the majority of the providers that I personally have talked to are including records that were received for the direct treatment of a patient to be a part of the patient's medical record. Once again, this is not a legal opinion. You must be comfortable in defending any decision you make in this regard. Please ask legal counsel. (Posted 6/19/03)
I work in an acute care facility and would like to know if it is a
HIPAA violation to allow allergy stickers to be placed on the front of
inpatient binders. Some of the stickers list the specific allergens and
some simply alert the physician to the existence of an allergy. The
patient's name is on the spine of the binder. I do have some physicians
complaining about this practice as well. They prefer that the name be
placed on the front of the binder with allergy stickers. What is allowed
under HIPAA for both of these situations? What about other condition alert
stickers, such as....diabetes, transplant status, etc.?
The key to HIPAA is not in the stickers themselves, but how, overall,
the patient records are being protected. Can the average
visitor/non-medical staffer access the file? Is the file left out and
unsecured?
The reasonable protection of confidential patient information is the key to HIPAA compliance. If the chart is properly secured, the stickers are not an issue. (Posted 6/12/03)
I'm the Advisor for a hospital sponsored organization, Senior
Friends. Senior Friends is a national organization sponsored by Hospital
Corporation of America with our local chapter being sponsored by our local
Medical Center. Senior Friends and the hospital has sponsored health fairs
in the past, such as stroke screenings, blood pressure, etc. and have
considered even lipid screens (blood tests). Our concern is that under the
new regulations, are we responsible for maintaining medical records for
people who might attend a health fair or expo where screenings are set up
or if we have simple blood pressure checks in our office? Health Fairs are
currently on hold throughout our facilities until we have clear
instruction as to how HIPAA regulations relate to these events.
In several contacts with the Office of Civil Rights (OCR) and with
peers, this has been and continues to be a gray area of the HIPAA
regulations. If you are collecting, storing and maintaining protected
health information (PHI), you are most likely required to provide a Notice
of Privacy Practices (NPP) document outlining your organization's privacy
policies. If you are not collecting, storing and maintaining protected
health information, you would not be required to provide NPP's or any
other privacy-related documentation.
OCR has yet to address this issue through any type of guidance as of this writing. They are aware of the many questions about the health fair events and the potential HIPAA impacts.
One further question would be on the route you take when "sub-optimal" results are reported back to the patient. Is any record of that kept by your organization? If so, you would most likely be impacted by HIPAA privacy. (Posted 6/12/03)
Please define what constitutes a "public" workstation. I work in an accounting office for a national dialysis clinic. Our Accounts Receivable Department handles the accounts for over 250 dialysis clinics located throughout the United States. The general public, including patients, do not have access to our office. We deal strictly with the clinics themselves and this is done by the computer, fax, snail mail and phone. The only people present in our work area are our employees all of whom have signed a confidentiality oath.
Thank you for clarifying this term...."public" workstation for me
and my co-workers.
The definition of public workstation goes beyond the general public’s
access. While “public” generally refers to this group of persons, HIPAA
also touches on minimum necessary access and need to know provisions.
If each employee in the clinic has the same access rights (and they probably should not), then there probably would not be a large issue. The issue, however, is with different employees needing different levels of access to do their jobs and workstations being left unsecured. If person A, for example, is a billing person and leaves his/her workstation with a screen visible, and person B can walk up and see information he should not see, this could be considered to be a breach of privacy.
The key is securing workstations by logging off after non-use, logging off when leaving the workstation, and not keeping screens in general view of those who don’t need the information to do their jobs. (Posted 6/12/03)
My question concerns radio transmissions between ambulance corps,
police dispatch and the hospital. Since many people have scanners, is it
still acceptable for the police dispatch to give the nature of the call
and the call location over the radio? And can the ambulance crew relay
this information and patient condition to the hospital over the radio?
In the Privacy Guidance from OCR, the following question was asked:
"Does the Privacy Rule require hospitals and doctors' offices to be
retrofitted, to provide private rooms, and soundproof walls to avoid any
possibility that a conversation is overheard?"
Answer: No, the Privacy Rule does not require these types of structural changes be made to facilities.
Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.
For example, the Privacy Rule does not require the following types of structural or systems changes:
- Private rooms.
- Soundproofing of rooms.
- Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners.
- Encryption of telephone systems.
Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.
The key is reasonability. If you are making every effort in this case, you should be in compliance. (Posted 6/12/03)
I work in the health insurance industry and a recent article in the
Dallas Newspaper caught my attention. Per the article, churches and other
religious organizations are bound by HIPAA. This goes against what I
knew/understood to be the case. Can you confirm my understanding or
elaborate on the limitations placed on Churches in regards to
announcing/praying for the sick?
The limitations on the clergy itself are not all that strict. The
clergy is not a covered entity for HIPAA purposes. The onus is on the
facility to make available to opt-out for the directory and clergy
notification. If this is completed and the patient is a "no-list" for
clergy, and the facility follows the instructions, the only disclosures at
that point would be incidental disclosures. That is, if a clergy member
walks through the hospital and sees John Doe in the room, this would be
incidental.
Nothing legislatively covers the clergy member from going back to the pulpit and making the announcement that you are in the hospital. Many facilities, however, are training clergy members in the ways of privacy. They are letting the clergy know that some patients want their privacy and don't want the church to know. This is more of an ethical issue that many clergy are reacting positively to. (Posted 6/12/03)
Is it a violation of HIPAA for a doctors office to leave a message
on a patients home answering machine confirming an doctors appointment and
also stating the nature of the visit? My doctor left a message confirming
an appointment for an exam and the message was played back by my parents
since I wasn't home yet. Is this a violation of my privacy?
The following is from the Guidance on HIPAA Privacy, provided by the
Office of Civil Rights (December, 2002):
Q: May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?
A: Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).
So, unless you have specifically requested that confidential communications be used, the provider did not violate your privacy in this instance. (Posted 6/5/03)
Please let me know if a case number from IP is considered PHI alone
or does it need to be attached to a member name, DOB or something else
before it would be password protected.
If that case number can in any way identify a patient, it is
considered PHI. Therefore, it is difficult to answer your question without
knowing this information. A good rule of thumb is to simply ask yourself
if you could trace a potential identifier back to a patient and if so, you
can be assured that that number, date, name, etc. is considered an
identifier. (Posted 6/5/03)
I recently went to a doctors office to get some personal tests run... I was very adamant and concise about how they were to contact me... no phone calls to my office or my home...none...I clearly stated, not only verbally but on my admissions, that they were to contact me via email only...
Then they called me at my office telling the receptionist that MY DOCTOR called and wanted me to call back...
I work in a small office that has my MD's as clients but I purposely chose an outside MD for privacy issues...as you may well know small offices tend to gossip and enjoy other people's business...
First of all...no call should have been made, but if a call must be made they should not have stated they are MY DOCTOR...just hang up and call back...
What are the regs on this?
This question is indeed one of the reasons for the HIPAA privacy
legislation. Our health information is very private to us and should be
kept private by those who have been given this privilege. HIPAA clearly
states that individuals have a right to request confidential
communications and that covered entities must abide by that request.
Therefore, this provider has violated your privacy and the HIPAA privacy
regulation. I suggest that you contact the provider and ask to speak with
the privacy officer and report this breach. Every entity covered by HIPAA
must have a Privacy Officer. You may also report this breach to the
Secretary of the Department of Health and Human Services (DHHS). All
complaints to Secretary Tommy Thompson must be made in writing, be made
within 180 days of the actual act requiring a complaint and must name the
entity and subject of the complaint. The provider must supply you with
this process. My suggestion is to work directly with your provider to
clear up this breach and prevent additional breaches. If the issue is
unresolved you may need to take the next step. (Posted
6/5/03)
I am a consultant to Long Term Care Facilities. I have a question
about the accounting of disclosure to state agencies. I believe the state
surveyors can access the records and we do not have to log their review of
the records in the accounting of disclosure because this is part of health
care operations. My question is, does this apply to the nurse who
investigates complaints of abuse and neglect? This is not the usual health
care operation and would fall under public health authority or health
oversight and should be logged.
You are correct, the nurse investigating a complaint of abuse and
neglect must log this disclosure in the accounting of disclosures.
Although, it is permissable to share this information without written
authorization from the patient. (Posted 6/5/03)
I work in an ambulatory surgery center. When we call our patients
for follow-up after their surgery, is it acceptable to leave more
information than just our facility name and nurse’s name with a request to
call us back? Our patients get confused about who is calling, and why,
even though we inform them before discharge that a nurse will be calling
to check up on them. If we have this information in writing on the
discharge instructions, and the responsible party signs the instructions,
are we covered under HIPAA? Specifically, is it alright to say that we are
calling to check up on the patient if we get an answering machine?
Your question concerning information is a good one but one that is
difficult to answer with one simple answer. In many cases, the information
you are giving may be just fine but in some cases it may not and this may
set up a harmful situation. Therefore, the best way to handle the
situation is to place how you communicate with patients in your Notice of
Privacy Practices. This should be very detailed. If patients request a
different method of communication, you must clearly record this request,
disseminate it to all who may be involved and abide by the request. (Posted
6/5/03)
In our waiting room we have a bulletin board that parents place
their children's pictures on. There are no names given on the board. Is
this in HIPAA compliance or not?
Under the rules of HIPAA, a picture is considered to be identifiable
information. However, since you indicated that the parents place the
pictures there, that implies that the parent is authorizing disclosure of
the identifiable information. If you want to be within the letter of the
law, get a signed authorization from the parent. This will guard against
any question that could be raised.(Posted 5/29/03)
I am a police officer for a medium sized municipality and I am
wondering about our status under the HIPAA regulations. As a first
responder to violent crimes, all severity's of vehicle crashes and other
related items I was wondering if as a part of our investigation of crime
are we allowed to collect basic medical information from EMS providers to
investigate a crime. For example a colleague of mine responded to a hit
skip vehicle crash where a pedestrian was struck by a car that fled the
scene and our local fire department paramedic squad also responded to the
scene. As a part of his investigation the police officer asked the
paramedics the victims severity of injuries, which is required information
on the traffic crash report and for any criminal investigation that would
follow. He was told by the paramedics that they would be in violation of
HIPAA to divulge any information on the victim. I found this to be
incredibly ridiculous as the information that the officer was asking did
not concern any of the victims medical history or treatment being received
but important information that would be needed to solve a crime. Are the
paramedics in my city right in their interpretation of the HIPAA standards
and regulations or are we, as first responders to scenes, entitled to
receive the basic information for protection of the victims rights and to
solve crimes? What information are we allowed to expect to receive from
EMS units that respond to crime and vehicle crash scenes?
You are correct it is not HIPAA's intent to hamper your investigation.
Protecting privacy of health information is a prime objective but other
valuable protections for individuals should not be placed in jeopardy. You
can refer to, and also refer the paramedic to, section 164.512(f) in the
HIPAA Privacy Standards. This entire section speaks to the disclosures for
law enforcement purposes that do not require an authorization. You can
find this document at this link:
http://www.hhs.gov/ocr/combinedregtext.pdf . By carefully reading this
entire section, you will see the many instances where law enforcement
agencies may gain access to information necessary to perform their jobs.( Posted 5/29/03)
Would you have an example of a Disclosure Log?
Accounting of Disclosures must be tracked and the documentation should
include date of disclosure, recipient of information, what was sent, and
the purpose of the disclosure. You should also track requests that a
patient or client makes for an accounting and this should contain the
patient’s name, date of request, date satisfied or denied, and details of
request or denial. A simple electronic solution provides the best option
for tracking this vital information.
Beacon Partners
has developed a simple solution, please contact us for further information
on this product. (Posted 5/29/03)
I work in a Doctor's office. If a patient wants to change their
primary doctor to the doctor I work for I send a signed consent for
release. What has to be done on this form to be HIPAA compliant?
Nothing-special needs added to this form for HIPAA. HIPAA does not
require a consent or authorization for treatment, payment, or health care
operations. This falls under treatment and therefore the exchange of
information is okayed by the patient’s request as covered in your original
consent. (Posted 5/29/03)
The surgeon and ambulatory surgical center for whom I work are
affiliated entities by ownership, etc and we have declared as such. They
are two separate corporations each with their own tax id numbers.
Therefore, we have one privacy notice for both entities. We are only
filing the notice of receipt in the physicians chart. I am wondering if I
need to file a photocopy in the surgery center chart of the mutual
patient.
Yes, you should file the receipt of NPP in both places. Therefore if
the patient presents at the surgery center you may know whether or not
this requirement has been satisfied, if not the NPP must be offered at
this time and then filed in both places. (Posted 5/29/03)
I work for an audiology-based company. We provide our patients with hearing healthcare such as earwax removal, hearing evaluations, and hearing aids. When a hearing aid is sent out for repair, the patient's name is on the repair form and the manufacturer knows the patient's hearing loss, etc. This is considered PHI. Because we are a busy office, we ask all patient's when they come in to sign our Authorization to Disclose/Use form. I have two questions.
1. If a patient does not sign this authorization form, can we still see them and can we still treat them with hearing healthcare such as sending an aid out for repair?
2. At fairs, we bring out portable video otoscope which allows
people to see the inside of their ears. This is done in front of people
passing by. Is this ok? Do we need them to sign a form? Or is verbal
consent good enough?
The work that you have described is for both treatment and healthcare
operations, therefore you do not need a signed authorization to perform
these functions. Although you may want to include this information in your
NPP to alert your patients of how their information is used. (Posted 5/29/03)
I am a dentist. If I refer a patient to a specialist, do I need a
"Business Associate Agreement" with that specialist to receive a report
regarding the treatment or a copy of the treatment radiograph for the
patient's record?
You do not need a Business Associate Agreement when referring or
participating in a consultation. It is not HIPAA’s intent to hamper
treatment, payment or health care operations. You should also include this
information as part of your employee’s training so that all of your staff
is operating from the same level of understanding. (Posted 5/15/03)
Is there a certain format in terms of font, point size, etc for the
patient privacy notice?
The Privacy Regulations contain many references to reasonability. This
is another one. There is no specific guideline for font size, point, etc.
It all comes down to reasonably being able to read it, both in size and in
language. (Posted 5/15/03)
What do we need to show as proof of compliance? Is there a form and
who do we send it to?
I am responding to your question about proof of compliance.
Unfortunately, there is no "proof of compliance" form. The proof of HIPAA
compliance will come during day to day operations. If you are a covered
entity and you have followed the necessary steps toward HIPAA compliance,
you should be able to avoid the complaint process which will test
compliance.
If a patient or his/her representative feels that their privacy has been compromised, they will file a complaint with the Office of Civil Rights, which may initiate an investigation into your covered entity's HIPAA compliance. (Posted 5/15/03)
I am a premedical student at Cornell University, in my junior year of undergrad studies. I've been trying to arrange a shadowing (internship) with some local doctors, but they hesitate to take me on due to HIPAA's new regulations.
Do the new regulations restrict premedical (undergraduate) students
like myself from shadowing/interning with doctors? While I definitely
appreciate patient privacy concerns, how are we to gain experience in the
medical field while complying with HIPAA's regulations?
The premed program could be considered a training program and
therefore is permissible under HIPAA for PHI to be shared. It is not
HIPAA”s intent to restrict education. This training must be done under
supervision in order to practice or improve skills as health care or
non-health care professionals. As a student you must follow the guidelines
of that healthcare provider’s HIPAA policies and procedures. Students fall
under the Healthcare operations umbrella which is referenced in the
definitions section of the Privacy Regulations (164.501)
(Posted 5/15/03)
I am looking for information on the HIPPA guidelines pertaining to
mental health providers. Do you have a booklet we can obtain?
Unfortunately, we have no booklet available for this topic. Some
things to note: First, depending on the state you are in, mental health
guidelines for states are more strict than the HIPAA guidelines. In this
case, the state regulations would preempt the HIPAA guidelines.
Generally, psychotherapy notes are given special protections, as long as they are not part of the employee's general medical record.
This is an area that is a little more complicated than the general HIPAA guidelines. There are many things to look at, including any notices of Privacy Practices, billing concerns, etc. (Posted 5/15/03)
I am a dental consultant located in the Denver area and am trying to find out if it is permissible for the dental office to post their daily schedule of patients by name only in the treatment areas, or would this be a HIPAA violation? Rationale: If a patient sign-in sheet is permissible at the reception area then it seems as if a daily schedule should be permissible to post a