I am a photojournalist doing photography work for Paramedic Text books and Paramedic trade journals and for the EMS agency itself to use the material for training, etc. The EMS agency is willing to allow me to ride to calls with EMS crews to obtain this material. I understand that in a patient's home I cannot photograph the paramedics unless I have approval from the patient and the EMS crew feels it will not be a determent to the patient. Furthermore I am bound by third party laws pertaining to invasion of privacy and would always need to secure consent and obtain a signed release before any publication. This is required even if there were no HIPAA requirements. The same goes for any photographs of the patient in the ambulance.

We have prepared a release for publication for the patient to sign. I understand that as a photojournalist I am not considered a HIPAA entity however I must take steps to ensure the EMS agency is not violating any HIPAA privacy laws. Have I covered all of the bases as it pertains to HIPAA? Is there anything that we are doing that might not meet HIPAA requirements?
I suggest you follow the process currently in place for release of information in regards to taking the photographs. I also suggest that you sign a business associate agreement (BAA) with the EMS agency. This agency is considered a covered entity (CE) under the HIPAA guidelines and therefore must follow those regulations. Any outside individual or organization that the CE shares or exposes this protected health information (PHI) with, which the covered entity must secure and keep private, must enter into a BAA. The BAA states that the non-covered entity will treat this PHI in the same manner as the CE. During these encounters with patients, you will see and hear PHI and this must be protected therefore the BAA will protect the patient and the EMS agency. Here is a link for a sample BAA drafted by the Office for Civil Rights through the Department of Health and Human Services:  (Posted 3/1/04)

I work with a major healthcare administrator who is looking at outsourcing the folding/inserting and mailing of forms and billings. I believe that having the mail house personnel handle these items would be a violation of privacy issues. An I correct?
It is not a HIPAA violation to outsource health care operations. However, as a covered entity, you are responsible for the privacy and security of this protected health information. Therefore, protected health information that is being shared must be protected under a business associate agreement. This agreement tells the outsourcing organization that this information must be protected the same way your organization would as a covered entity.

The following link will take you to a sample business associate contract:  (Posted 3/1/04)

I work in an acute care setting and often we receive attorney requests for patients they are representing. The request states production of "any and all" records. Under the minimum necessary standard, shouldn't we be asking the attorney to be more specific and spell out any dates of service they need to adequately litigate case for the patient? Our correspondence clerks feel that they have to go into cold storage and copy all visit records from 7-10 years prior.
You are correct, minimum necessary does come into play concerning release of information. An attorney must also notify the patient and request signature if at all possible.
Noted below are the minimum requirements covered entities will be looking for in an authorization form:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
  • The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
  • A description of each purpose of the requested use or disclosure
  • An expiration date or expiration of event (i.e. end of trial)
  • Signature of individual and date

If the release of information is requested as a court order or in a dispute you must follow those specific guidelines. You can find the actual privacy regulation and download from the following link

(Posted 2/10/04)

I am the Records Manger for El Paso County in Colorado Springs, Colorado. The function of my department is to store documents for the various office/departments throughout the county and retrieve the files when they are needed. When a document is needed, the user sends an email to our Help Desk with the indexing information and creates a work ticket. This ticket is printed on our printer (which is located in a locked office area) and we use this to look up the box location. The work ticket is kept in a filing cabinet until the document is returned. When the document is returned, the work ticket is placed in a recycle bin where the papers will be shredded. We store medical files for the inmates under the Sheriff’s office and medical files for the Health Department. When either one of these users need a file, the information emailed is a name only for the Health department and a name, admit number and sometimes a date of birth or a social security number for the Sheriff. The email is sent to a distribution list that includes four people working on the help desk and the three Records Center staff members. My question is this: are there any HIPAA violations by handling the requests in this fashion?
From the process you are describing, it sounds like you have certainly thought this through and are taking steps to protect PHI. What you are doing by supplying these records comes under the heading of health care operations and therefore allowable. The only operation that makes me a little nervous is the email process but this too is okay as long as the email is secure. Your policy and procedure, which you are following is well constructed and I suggest that this policy is documented and all employees involved educated on this process. (Posted 2/10/04)

My wife has been to several doctors to try to find out why she has tremendous pain in her leg. She was finally referred to a "Pain Management Clinic". Every doctors office we have been to allowed me, her spouse, to accompany her to the exam room on the very first and subsequent visits, but this "Pain Management Clinic" refused to allowed me to accompany her during the initial exam. They stated that due to the new "HIPAA" regulations, no one but the patient is allowed during the initial exam. Is this true? Does the HIPAA rules state this? Or is this possibly just the protocol of this particular office?
Unfortunately many policies have been blamed on HIPAA and that seems to be the case in this instance as well. The practice may certainly want to check with a new patient before disclosing their protected health information with others. However, if your wife states that you are to be involved in her care and she does not wish to have any information kept from you, this information may then be shared. The office may wish to have a private meeting with the patient and that my be part of their policy but it is not a HIPAA policy. (Posted 2/10/04)

Is it considered a violation of HIPAA if a nursing student of an accredited school reviews their own medical chart at a hospital? Especially if no information was altered or passed on beyond that student themself?
The definition of “health care operations” in the Privacy Rule provides for “conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients’ medical information, including entire medical records. However, nursing students must work under the same policies as the employees of the hospital. Minimum necessary refers to the minimum amount of information that is necessary to perform the employee's task. Therefore, reviewing the student's individual medical record does not fall under that definition and probably violates the organization's policy. (Posted 2/10/04)

I work for an ambulance service that transports patients to and from hospitals, extended care facilities and home address. Is it against HIPAA to look at the patients packet of medical paper work that is given to us from the hospital and or medical facility's. A lot of the time we have to look at the records to find out what is wrong with the patient or medications they
are on due to possible complications during transport. We also have to document patient history in our run report. We also get patient face sheets with patient information on it such as address, SS#, birth date, insurance #, Guardian info, etc, etc.... Is any of this against HIPAA and what are our limitations being a ambulance service?

The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for that provider’s treatment of the individual. The provider may also disclose this information to an ambulance service as they are taking part in the treatment of the patient by transporting the patient in a safe manner. This requires sharing health information.
See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. (Posted 2/10/04)

We are self-funded and self-insured for our health plan. Can you help with a hypothetical situation? A police officer has a hospital stay and in the medical notes I find out he has Hepatitis. He is returning to work as a police officer, is there any information that I can share with his Police Chief that he has a contagious disease because he will be around fellow police officers and the public? So far from what I have read I see no exclusion unless he signs an authorization for me to share this information.
All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.

The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices. See the fact sheet and frequently asked questions on this web site about the public health provision for more information.

Therefore, you should follow your state's protocol and report the information to the public health agency and not to the Police Chief. The agency will follow correct protocol if a danger to others is anticipated. (Posted 2/10/04)

I work in the HR Dept. at a medium sized company and, as a department, We would like to send get well cards to employees who are out on FMLA/Medical Leave. Could this be considered a violation of HIPAA?
As long as your company is not considered a Covered Entity. Also HR records which are a subset of the employee records are not considered Protected Health Information. If an employee submits notice for a medical leave, this information has nothing to do with the HIPAA Privacy Regulation. Your HR department may follow whatever privacy and confidentiality policies it has developed and this will not be seen as a HIPAA violation. (Posted 2/10/04)

I am working with an insurance company to produce materials that encourage their insured customers to live healthier lifestyles that would lower insurance and healthcare cost over time. I would like to compare use of healthcare services at the beginning of the project to levels of use one year later. Can insurance companies publish statistics based on patient data regarding use of healthcare services?
Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Rule’s requirements that it obtain satisfactory assurances from its business associate with the data use agreement. For example, where a State hospital association receives only limited data sets of protected health information from its member hospitals for the purposes of conducting and sharing comparative quality analyses with these hospitals, the member hospitals need only have data use agreements in place with the State hospital association. Therefore since you will be using this information for health care operations and I assume you are acting as a Business associate and have signed that agreement, nothing further is necessary. However, publishing this information can only be done with completely de-identified aggregate data. Anything that is published can not in any way identify patients without their authorization. (Posted 2/10/04)

I work for an insurance company in Oklahoma. The company's name is Old Surety Life Insurance Company. It is owned by Enterprise Holding Company. Enterprise Holding Company also owns Enterprise Marketing Corporation which is an insurance agency. Old Surety Life, the insurance company, has approx. 10,000 medicare supplement insurance policyholders. Can Old Surety Life Insurance Company provide basic information to Enterprise Marketing Corporation about it's policyholders such as name, address, city, state, zip, DOB, and agent without disclosing to the policyholders that it is sharing this information? Can Old Surety Life Insurance Company provide this same basic information to Enterprise Marketing Corporation about it's policyholders such as name, address, city, state, zip, DOB, and agent if it provides a value added benefit?
It appears you are attempting to market protected health information. Under HIPAA if a health care operation communication does not fall within one of the specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.

The following link will provide additional guidance concerning marketing. This link will take you to the Marketing Fact Sheet developed by HHS.  (Posted 2/10/04)

Are sign in sheets allowed to be used in the patient area?
Yes, sign in sheets are allowed. However, you should take a reasonable approach to protecting this information. Therefore, a minimum amount of information should be requested. By marking through names periodically with a marker that will obliterate that information, you are making an extra effort to protect PHI. If you proceed with many of these regulations with how you would like to see your PHI or that of a loved one's maintained, it will be easier to determine what is considered a reasonable attempt to protect PHI. (Posted 2/10/04)

I work for a Manufacturing Co who has posted notices that all Dr. excuses must have the diagnosis on them. This seems that this is a privacy issue. I don't know where or who might see this information.
This may very well be a privacy issue but it is not a HIPAA privacy violation. The manufacturing company is not considered a HIPAA covered entity and therefore does not fall under the guidelines of that regulation. It appears that this is simply a company policy which they feel is necessary to maintain adequate staffing and control call-offs. Hopefully those persons that are in charge of receiving this information are professional and will maintain your privacy. (Posted 2/10/04)

The medical office, which I visited recently, provided my personal information to a laboratory, where my test has been performed without my permission to use this information . I received to my home address the giant bill for this test. The staff of medical office didn't make me aware that this test must be done outside and is supposed to be paid directly to the laboratory. Was there a violation of my privacy from the side of medical office, because I didn't sign ANY paper to release my information out of this office?
Under the new HIPAA regulation, Covered entities such as your medical office may supply personal information for treatment, payment, and health care operations. Therefore, the exchange of information given to the laboratory is not a violation of HIPAA. The medical office should include this type of disclosure in their Notice of Privacy Practices which you should have received after April 14, 2003. Aside from HIPAA, communication is vital between patients and health care workers. Please be aware that you have the right to ask as many questions as possible for you to understand your care and the processes involved in your care. Clear communication is the key and certainly leads to an informed patient. You may also inform your physician of any concerns you may have with disclosure of your protected health information and ask for specific restraints on that information. (Posted 2/10/04)

I am in a custody case and my ex wife's attorney subpoenaed several local hospitals. Without my knowledge or consent and without a court order, the hospital disclosed my medical records going back over 20 years. Assuming this is a violation of my rights under the new law, what action can I take?
Since I am not sure of the reason for subpoenaed records The section of the regulation you would want to review is
§ 164.512. I am including the link to the regulation The section you are looking for starts on page 24 of the actual regulation. Please carefully read through this section and determine if your rights were violated. If after reading you believe your rights have been violated you may file a complaint with the covered entity which released those records by contacting their privacy officer. You may also file a complaint with the Office of Civil Rights (OCR) I am including a link that will take you to the OCR Fact Sheet with all the instructions on how to file a HIPAA complaint. The OCR receives and investigates all HIPAA Privacy complaints. But in order to be heard you must follow the guidelines noted in this fact sheet.   (Posted 2/10/04)

We are a pediatric clinic and all PHI maintained is regarding our pediatric patients. I understand the HIPAA standards regarding disclosure for judicial/administrative activities and law enforcement purposes. My question is: what if law enforcement were to ask us for information regarding the parent of a pediatric patient for identification/location, warrant or process, etc. Demographic information for the parent/patient/family is contained within the patient's PHI.
As long as you are following the same protocol regarding release of information of the patient, the demographic parent information will fall under the same guidelines. In other words if the process is followed according to the HIPAA regulation and you feel that it is permissible to divulge the PHI, the demographics of the parents is also permissible to divulge. (Posted 2/10/04)

My friend's father has just been hospitalized for a serious illness and cannot communicate. He is in a semi-coma state. He is married to his second wife and the hospital and physicians will only release information to her. She is in her 80s and is not in a position to make effective decisions or understand what the providers are recommending. She acknowledges this and is willing to allow my friend to be the decision maker on her father's care but the facility and providers will not release any information to my friend. Unfortunately, this illness was unforeseen and there is no HIPAA authorization on file to allow release of info to anyone. Because the spouse is considered next of kin, this is the only person they will deal with and it may be jeopardizing this man's health. Is there anything my friend can do?
I suggest your friend immediately contact the privacy officer of this facility. Your friend is a family member as the daughter of the patient and therefore is acting as the patients advocate as well as the 80 year old wife's advocate. Covered entities are certainly allowed to make decisions concerning personal representatives as well as sharing health care information in an emergency situation that is in the best interest of the patient. From what I am understanding the patient had not excluded in the past communication with the daughter and even if he had the current situation with the wife asking for the daughter to step in would override that request if the patient's health or the care is at risk. (Posted 2/10/04)

Can a close friend call a doctor's office and request prescriptions for medication for that friend? Would there need to be authorization for that friend to receive those prescriptions?
The answer to your question is determined on an individual case. The office will probably want to speak to the patient directly for this request. However, if there are extenuating circumstances such as a chronic debilitating illness the patient may state that in the future this "friend" is permitted to assist with his/her care and act as his/her advocate. The office may have an authorization policy for all individuals and may certainly exercise that process. HIPAA's intent is not to impede quality health care but to protect patient's health information. Therefore if you approach situations with both of these goals in mind, you should be able to institute policies and practices that accomplish both goals. (Posted 2/10/04)

A representative from the Dept. of Health in my state told the local paper that they cannot divulge the number of flu deaths in each county, as that would be a HIPAA violation. "According to Health Department Spokesperson Ann Wright, the state is prohibited by HIPPA laws from revealing which counties have reported flu deaths. There have been 13 deaths statewide, with one younger than the age of 21. " (The Baxter Bulletin, Dec. 24, 2003).

I say it isn't a violation because you are not identifying patients in any way, just a collective number. Why would it be OK to divulge the statewide total and not county total? I think they just don't want to tell the number and are using HIPAA as an excuse.
I believe your county health department is attempting to work within the scope of HIPAA. The numbers of deaths statewide are very small (13). Therefore, when you get down to the county, this number could possibly be much smaller such as 1 or 2. HIPAA states in order to give out deidentified PHI, the covered entity must determine that health information is not individually identifiable. The regulation goes on to list all identifiers which must be removed to accomplish that task. One of the identifiers is all geographic subdivisions smaller than a State, including street address, city, county, precinct, precinct, and zip code. So you can see that although the number represents an aggregate number it could possibly identify that person or persons. (Posted 2/10/04)

I have been told that it is necessary to use a shredder that cross cuts as opposed to one that just strip cuts paper. Is this true?
HIPAA is not that specific in the regulation. HIPAA simply ask that you as a covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. Under this standard, entities should minimize the risk of unintentional disclosure by taking appropriate action for all PHI that is being disposed. By shredding documents you are certainly taking an appropriate action. If you feel that your shredding system is not reasonably obliterating the PHI you may want to look into a better system. Most shredders are designed to do just that (shred information) whether it is by cross cuts or strip cuts. The bigger problem here is getting personnel to shred these documents or scraps of paper that may contain PHI. This is where you may want to focus the better part of your attention which is not costly but a cultural change issue that needs repeated attention. (Posted 2/10/04)

We are contemplating digitizing our medical records. If we make electronic copies of our records, are we required to keep a hard copy of the record and are there any HIPAA ruling that preclude us from doing the above?
One of the original intents of HIPAA is to move the health care industry into the electronic age. Therefore digitizing your medical records is not against HIPAA. HIPAA speaks to record retention for a period of 6 years which includes maintaining documentation such as policies and procedures and communication concerning records. Many states have individual laws concerning the amount of years medical records must be maintained and this is something you should look into for Texas. If your records are entirely digitized, I see no need to maintain the paper record unless a state law would supersede. (Posted 2/10/04)

There seems to be some conflict in the hospital about the hospital policy and the actual signed request of the patient concerning contacting the patient for out patient services after discharge, specifically, Diabetic Education. I would like to see a complete updated copy of the HIPAA ACT. Hospitals at present do not send the signed HIPA papers with the admission to the out patient services. Please advise about acquiring the actual HIPAA Updated ACT and information about the protocol for the Hospital to admit a patient to the out patient educational services without including their HIPAA signed paper work.
For the complete HIPAA Privacy Regulation Standard, please click on the following link
I am not 100% sure what you are referencing when you speak of the "HIPAA" papers. The Notice of Privacy Practices is the document which discusses your organization's policies on how that specific organization shares protected health information and this may be what you are referencing. The document should be given to patients and a signed receipt acknowledging that the document is received by the patient should be kept on file. (Posted 2/10/04)

I am employed as an RN. My primary responsibility is Critical Care Transport of patients that occur interfacility. Secondarily, we conduct follow up reports on our patients. Is is a violation of HIPAA to request patient information from a primary caregiver of that patient at another facility? The majority of our patients are critically ill and unable to speak or make their own judgements. I have been denied information numerous times despite telling the caregiver that our phone calls are part of a QA process.
Sharing information for treatment, payment, or health care operations is not a violation of HIPAA. If you continue to experience this problem, you should ask to be directed to the Privacy officer of that institution. The institution may want assurance that this information is being cared for in the same manner they would and may need you (your organization) to sign a business associate contract. (Posted 2/10/04)

I work for a private clinic that leaves the exam room doors open while performing an exam. The exam does not require the patient to disrobe. Does HIPAA require that the exam room doors be closed during an exam?
While HIPAA is not that definitive in the regulation, it does state that an identifier is the actual person constituting Individually Identifiable Health Information. Therefore a simple process is to close the exam door, thereby protecting PHI. Not only is the person visible when the door is left open but spoken words are easily overheard and thereby revealing PHI. HIIPAA asks that you make a reasonable attempt at preserving all PHI and closing a door where patients are being examined is certainly a reasonable approach which I suggest you start immediately. (Posted 2/10/04)

We have an employee who took a second (moonlighting) job, which is permitted by our rules. We contacted the other employer to confirm that the employee’s scheduled hours did not overlap with our scheduled hours, and to see if he was eligible for health care benefits at his new employer. We were told that they could not reveal if he was receiving health care benefits because of HIPAA? Is this correct?
You have not identified the type of entity to first determine if they are bound by HIPAA. Although, even without that information, it is clear that the records you are referring to are employee records and they do not fall under the guidelines of HIPAA. (Posted 2/10/04)

Are there any HIPAA restrictions concerning Church ministers visiting hospital patients? If there are, what are they? I am a church laymen and I'd like to visit hospital patients to help lighten the load for the church staff but the staff is reluctant to allow it for fear of HIPAA restrictions.
The HIPAA Privacy Rule allows this type of communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. Providing this information in the Notice of Privacy Practices is a very good way of informing patients of this type of disclosure. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual’s name; location in the facility; health condition expressed in general terms; and religious affiliation. The facility may disclose this directory information to members of the clergy. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility’s directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual’s best interest as determined in the professional judgment of the provider. (Posted 2/10/04)

I work for a Hospital in Iowa as an RN. My personal information address was obtained by another staff member, either by the hospital giving it out through Human Resources or obtained from our computer system when I was a patient. Can HR give out my person info to another employee? Is it illegal for the employee to obtain the info. from my recent hospitalization?
This is certainly one of those areas where employees feel they are doing nothing wrong by accessing information which they can readily obtain but do not have the right to such information as this is not part of performing their duties as a health care worker. Many times employees feel that they are not in violation of the patient's privacy as they already have access to this information. However, the access is limited to performing their job and I am sure you will agree this is outside of that scope. You should report this breach to your privacy officer so education on this matter is added to the HIPAA Privacy training in your organization. The Privacy Officer should further discuss this breach with that employee. (Posted 2/10/04)

What I would need to do if I knew of an office that was not HIPAA regulated yet. The office that I used to work at is not.  Insurance claims are not even getting paid because the practice is not in the rules and regulated yet! Do you know who I can contact to let someone know this important information? They are not even keeping patient information private!
Here is a link that will take you to the OCR (Office of Civil Rights) Fact Sheet with all the instructions on how to file a HIPAA complaint. The OCR receives and investigates all HIPAA Privacy complaints. But in order to be heard you must follow the guidelines noted in this fact sheet.
(Posted 2/10/04)

I am a registered nurse in an emergency department. It seems that with all the new HIPAA regulations everyone is afraid to discuss anything with anyone. I think it is being blown out of proportion and I don't think that is the intention of the HIPAA regulations. My specific question is this: If social services is called in to investigate a situation where a child was involved in an automobile accident where the mother (the driver) was very much under the influence, can we share information with social service to assist them with their investigation. Can we reveal such things as drug testing and other information related to the mother's condition at the time of the accident in order to protect the child? Also, can information be shared with police?
I am in full agreement with you concerning the misinformation that surrounds HIPAA. HIPAA's intent is not to hamper health care operations but instead to protect and secure individually identifiable health information for all patients. If you read the following notation, you will agree that you are within the guidelines of HIPAA when reporting the incidence noted in your question. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal. 45 C.F.R. § 164.512(j). (Posted 12/2/03)

We offer an "Ask the Dr." feature on our website. I was going over some information about the requirements of getting an acknowledgement of receipt of the notice of privacy practices. I read that the rule requires that we send the notice to the patient if their first request for service is electronic and attempt to get this acknowledgement. Does this apply to the "Ask the Dr." feature on our website when our Dr. replies to the potential patient? And if this a requirement do you have any suggestion as to how we are to track these if the patient hasn't actually "become a patient" in our office?
According to the Department of Health and Human Services the following guideline must be used with regards to electronic service which I suggest you put into place for your Dr. Feature on your website. For service provided electronically, the notice must be sent electronically automatically and contemporaneously in response to the individual’s first request for service. In this situation, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice. (Posted 12/2/03)

My nephew is in the hospital and his father brought a friend down there with him to visit and we were wondering if this is HIPAA violation. My sister asked the nurse if she could stop this person from being in the room and the nurse said that as long as they were invited to come down they had the right to be there. I am very concerned with this because no one knows this person and I am afraid that the wrong person might find out about my nephew and his condition. Is this a HIPAA violation that the hospital let someone in the room that is not a family member or friend of the families hear about my nephew's condition?
Your nephew has the right to limit visitors specifically and/or has the right to have his information concerning his, name, room number, condition, etc. removed from the hospital patient directory. If this is indeed his wish, he should let the staff know of his concerns and have proper process put into place to enable this right. The hospital must abide by these restrictions once requested and if after those restrictions are in place the violation continues, a HIPAA violation is taking place and a complaint may be filed. (Posted 12/2/03)

Are medical transcription services that use typists from overseas actually HIPAA compliant?
Medical transcription services outside of the United States do not need to comply with HIPAA regulations. Therefore, you should exercise caution when outsourcing this service. I am including a current event item which brings this issue to light. Please note the following:

October 27, 2003
A California state senator will introduce a bill prohibiting state hospitals from allowing medical data to leave the country, San Francisco Chronicle (  ) columnist David Lazarus reports. The move follows a threat by a woman in Pakistan doing subcontracted transcription work for the University of California-San Francisco Medical Center to post patients’ medical records on the Internet unless she was paid more money.

Under the bill, state hospitals would likely be prevented from outsourcing transcription work unless they could verify that all related files stay in the country, which would make hospitals responsible for any subcontracting issues. Sen. Liz Figueroa (D-Fremont) will introduce the bill in January when the state Senate returns for its regular session, the Chronicle reports. Figueroa expects the health care industry to fight the legislation, but she said that because of the public’s increased concern about privacy issues, the bill will eventually pass (Lazarus, San Francisco Chronicle, 10/26).

In the UCSF incident, the Pakistani transcriber, Lubna Baloch, on Oct. 7 sent an e-mail to UCSF threatening to post all the voice files and patient records from the UCSF Parnassus and Mt. Zion campuses on the Internet unless she received money that a subcontractor allegedly owed her. Baloch attached to the e-mail actual files with dictation from UCSF physicians. After she received a portion of the $500 that she said she was owed, Baloch on Oct. 8 sent UCSF an e-mail withdrawing her threats (iHealthBeat  10/23).

This is the first time an overseas transcriber has used confidential medical records against a U.S. hospital, the Chronicle reports (San Francisco Chronicle, 10/26). (Posted 11/14/03)

I work in a pharmacy and we need to get refill authorization for people's medications. The computer was programmed with the wrong information as to where the doctor was located at. (She practiced mental health at this facility and then moved to another clinic). Well we faxed a refill request on the proper form to the phone number in the computer and it came back to us saying she did not practice at that facility anymore. Was that a violation of HIPAA policies? The pharmacist says it is, well another pharmacist says it wasn't.
To answer your question, you should first look at the policies and procedures of your organization. If your policy stipulates that you must verify that the correct fax information is programmed prior to faxing, then you may be in violation of your organization's HIPAA policy. HIPAA does not offer specificity on this subject but a reasonable approach to protecting privacy and security of PHI is your responsibility. (Posted 11/14/03)

Can my health care provider fax information to an insurance company (or any other company as far as that goes) without my knowing it or authorizing it ?
Health care providers must present you with a Notice of Privacy Practices. In this notice, the provider will state who they provide information to. Health plans will be noted as a group that they supply protected health information to for provision of payment. Health care providers may share information with other health care providers for treatment, health plans for payment, and other specific entities in regards to health care operations. You can request an accounting of disclosures from your health care provider for all those disclosures that must be accounted to the individual upon request. And also there are certain cases where sharing of your information will require your authorization. I suggest you review your provider's Notice of Privacy Practices and then discuss all of these concerns with the provider's privacy officer which will be noted in the notice. (Posted 11/14/03)

We are a family practice referring a worker's compensation patient to an ortho. When the nurse called the physician's office to make the referral appointment the nurse was told due to HIPAA our office could not make the appointment and the employer would have to. Under HIPAA it is our understanding we can use the patient's info for treatment and of course, the referral is for treatment. What documentation could we share with this office to show them a referral from one doctor to another, even for workers compensation, is covered?
It is unbelievable at times the amount of misinformation which is out there concerning the HIPAA Privacy Rule. And unfortunately covered entities that must be compliant are among the largest group that entertain this misinformation. You are of course correct in your comments concerning sharing information with other treatment providers. The best document is the actual regulation which can be found at The first section you will want to refer the orthopedic office to is section 164.502(a)(1)(ii). You can also refer them to section 164.506. There are certainly many other references on the internet but I encourage individuals to go directly to the source for the actual facts and therefore it is advisable that covered entities download the document and keep for reference. (Posted 10/28/03)

Must a covered entity get an authorization to release PHI of its employee for FMLA?
If a covered entity is also an employer, the covered entity may use the employee health records (those maintained in the human resource department) for operations such as the FMLA. The employer may not request the employee's actual medical records without proper authorization from the employee. Simply because the employer happens to be a covered entity, this does not afford him/her the right to gain access to health records maintained by a covered entity without written authorization of the individual. Although health records which are part of the employee file can be used for operations such as mentioned in your email. (Posted 10/28/03)

The Privacy Rule requires Business Associate agreements to include certain things - 164.504(e)(2)(ii)(E),(F) & (G) requires the agreement to state that the Business Associate will make PHI available for patient access, amendment and for an accounting of disclosures. For the agreement with our document destruction service, should those items be left out of the agreement, or should they be included as required, even though they do not apply for the service they perform?
Clearly you can delete those references since there are no documents available for access, amendment or disclosing as they are no longer in existence. (Posted 10/28/03)

My question is concerning chart security. We are Oral-Facial Surgeons and have three locations. The patient charts in all three locations are not accessible to the patients or the general public. Both the office buildings and the offices are locked at night and off-hours, but the charts are not locked in a separate room or area within the offices. Our question is- how ‘secure’ must these patient charts be? Must they be under lock and key in individual cabinets or simply secure within our offices?
The HIPAA Privacy Regulations in this area are not specific regarding the infrastructure of your facility. In section 164.530(c)(1)&(2), the requirements state that you must reasonably safeguard PHI from any intentional and unintentional use or disclosure through the use of appropriate administrative, technical, and physical safeguards. Therefore you will want to do the best job possible with your resources. You may want to ask yourself, if your personal record is placed in any of the areas where records are stored in the three facilities you mentioned, would you feel secure that it was protected. If you are in doubt of any of those areas, you should firm up that process for protection and security of PHI. Also you may want to ask yourself if your current practice makes good business sense and are you 100% sure where you can locate a record at any given time. It is important to make every attempt to secure and protect PHI. (Posted 10/28/03)

I work in the insurance industry and deal directly with bodily injury/liability claims. In order to obtain medical records we obtain written permission from our claimants to request medical records from the providers they list on the form. While we have tailored or Medical Authorization form to meet HIPAA guidelines, we frequently find that specific medical institutions reject our form because it doesn't meet guidelines they have instituted beyond HIPAA's compliance guidelines. Would you please provide a run down of what a basic Request for Medical Information Authorization form should contain, also, in your opinion does a provider have a right to reject our authorization form because it lacks details they deem necessary but are not HIPAA compliant?
Noted below are the minimum requirements covered entities will be looking for in an authorization form:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
  • The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
  • A description of each purpose of the requested use or disclosure
  • An expiration date or expiration of event (i.e. end of trial)
  • Signature of individual and date If the release of information is requested as a court order or in a dispute you must follow those specific guidelines.

You can find the actual privacy regulation and download from the following link . Refer to section 164.512(e). And finally to answer your question concerning the right to reject your authorization form due to lack of HIPAA compliance, I would agree that they do have this right. Before they release information they must be secure that they are following HIPAA guidelines and in many cases must account for disclosures and also need this information. (Posted 10/28/03)

How do I make a subpoena requesting medical records for a legal proceeding HIPAA compliant? Each hospital seems to have their own rules.
Noted below are the minimum requirements covered entities will be looking for in an authorization form:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
  • The name or other specific identification of the person(s) or class or persons authorized to make the requested use or disclosure
  • A description of each purpose of the requested use or disclosure
  • An expiration date or expiration of event (i.e. end of trial)
  • Signature of individual and date

If the release of information is requested as a court order or in a dispute you must follow those specific guidelines in addition to the above minimum requirements. You can find the actual privacy regulation and download from the following link  Refer to section 164.512(e). (Posted 10/28/03)

I am a new practice manager for a plastic surgery office. We have a statement which patients read but currently do not sign. Is it mandatory (or recommended) that each patient sign this form indicating our notification and compliance with the new HIPPA law?
The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals such as your plastic surgery office to give the Notice of Privacy Practices (NPP) to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy. It is simply not enough to provide a statement concerning compliance with the HIPAA Privacy Rule. You must produce the NPP which clearly states items from the regulation as well as your individual practices concerning use and disclosure of protected health information along with detailing the patient's rights. Please reference the HIPAA Privacy Rule for the requirements of this document. You can download a copy of the Regulation at the following website: (Posted 10/28/03)

We are a mid-size office and we currently charge patients $25.00 for their medical records. We have been told that per HIPAA, offices are not allowed to charge for medical records. Is this true? I have not been able to find anything specific on the subject.
In response to your question, I am referring you to section 164.524 of the HIPAA Privacy Regulation. The regulation states that if an individual requests a copy of PHI or agrees to a summary or explanation of such information, the covered entity may impose a “reasonable”, cost-based fee.

The fee must include only the cost of:

  • Copying (including the cost of supplies for and the labor of copying)
  • Postage (when the individual is requesting the PHI to be mailed)
  • Preparing the explanation or summary of the PHI (when the individual is requesting this service)

Therefore, you should assess if the $25.00 fee is reasonable and only covers the cost permitted by the regulation. (Posted 10/15/03)

Is there such a thing as "HIPPA compliant shredders"? The rumor around here is that we must have shredders that "cross-cut" in order to be HIPPA compliant.
One of the unfortunate byproducts of HIPAA is the misinformation that accompanies this important piece of legislation. I have been doing HIPAA Assessments and Gap Analysis for a couple of years now. I have trained many organizations from small to large, health care providers to health plans and now am assisting organizations with the audit process for their compliance efforts and I must admit I’m still amazed at the misinformation which surfaces. No where in the regulations is there direction that speaks to a “HIPAA Compliant Shredder”.

When you think of disposing documents, papers, notes, etc. that contain protected health information (PHI), you must remember that this information is in your care and therefore you should take precautions to dispose of it so that the PHI is protected. If your current shredder allows PHI to be visible you may want to revisit the shredder issue but bear in mind the regulation does not endorse any shredding companies or process. Keeping your goal in mind should certainly guide your policy. (Posted 10/15/03)

Does HIPAA change the right of a defendant to subpoena the patient's medical records with notice but without authorization when the patient institutes civil litigation claiming total disability??
HIPAA does not change this right. You are correct in noting that reasonable efforts have first been made by such party (requestor) to ensure that the individual who is the subject of the PHI, that has been requested, has been given notice of the request. This notice must be in written documentation and must include sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal. If the time for the individual to raise objections to the court or administrative tribunal and no objections were filed or all objections filed by the individual have been resolved by the court or administrative tribunal, the release of PHI may be honored. This PHI will be released with a qualified protective order stating that the PHI will only be used for the intended purposes and requires the return of the PHI to the covered entity or destruction (including all copies made) at the end of the litigation or proceeding. (Posted 10/15/03)

I have a question about patient privacy concerns. Last week I visited my physician’s office to see if previous health records from a former doctor had been received and placed into my current medical chart. The clerks at the office looked through my file and said some records had been received. When I asked to see the copies in my chart, to determine if they were the right information, I was told that I was not allowed to look at my chart! I was not allowed to look at ANY of my chart, even though I was standing right there! When questioned, the staff informed me that this was a rule of the new HIPPA regulations, and that I was not allowed to look at my chart. I found this to be unbelievable and felt that they were perhaps interpreting the HIPPA regulations incorrectly. Can you please explain this to me?
It seems to me that there may be a communication problem between you and the physician's office. One of the very explicit patient rights outlined by HIPAA in the Privacy Rule is for access of individuals to protected health information (PHI). According to this rule, individuals have a right of access to inspect and obtain a copy of PHI about the individual. The institution may require individuals to make requests for access in writing and could possibly deny this access if it meets the issues stated in the Privacy Rule. There are other more specific clauses noted in the rule but for the most part you do have the right to access your PHI. This right should also be noted in the Notice of Privacy Practices for that organization and you should have been given this notice. If you have not, please request a copy from your physician's office. You also have a right to file a complaint to the Office of Civil Rights. You can file this complaint electronically - You can also mail a complaint and that address differs according to your region. This information should be contained in your physician office's Notice of Privacy Practices or contact the above email for that information. (Posted 10/15/03)

I am trying to find a form for a psych authorization form. do you know where I can find that?
There is no HIPAA approved psychiatric authorization form. The authorization form must be made specific to each situation. HIPAA does state the core elements and requirements of the form which are all detailed in section 164.508(c) of the Privacy Regulations. (Posted 10/15/03)

I work in small private non-profit alcohol/drug treatment agency. My agency works with the local drug court and performs two separate functions for the drug court. We provide case management and the year long drug court treatment. Each client has a case manager and a treatment counselor. To make record keeping more efficient we have elected to have a case management file that the case manager is responsible for and a treatment file that the treatment counselor is responsible for. When the client has completed the drug court program the files will be combined for long term storage. Is it compliant to have two files on one client within the same agency?
Yes, there may be two files. The point is that you must know that these files exist and where all the protected health information (PHI) in your care is maintained. All of this PHI is your responsibility. Also you must understand that if a patient elects to amend a file and this request is granted all files must be modified. Both records should be treated as one. (Posted 10/15/03)

We are a New York PT provider treating a patient injured and treated in Florida. We wish to get copies of the MRI and other records from the Florida health care providers. The Florida provider requests an authorization. Do we need an authorization? This is W/C. She has signed our consent form allowing use and disclosure for treatment, operations and payment.
This is a very interesting question. In order to supply you with all of the information you will need on this topic, I am referring you to the following link:  This link provides an answer by the Office of Civil Rights which is the agency in charge of investigating privacy breaches. This document will supply you with all the necessary information which you may pass on to the covered entities when requesting disclosure of PHI related to Worker's Compensation claims. (Posted 10/15/03)

I was wondering if all patient files must be locked up after hours. If so, what part of the HIPAA requires it?
You will not find a specific notation in the HIPAA Privacy Regulations that state the need to lock up records after hours. However the regulations do state that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). The regulations go on to describe implementation specification safeguards;
(i) A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

This information can be found in section 164.530(c)(1)- (2)

Locking up files at the end of the day seems to be a reasonable measure for protection of PHI and therefore it is advisable to pursue this process. (Posted 10/15/03)

I am a hearing officer for a state Unemployment Appeals Agency adjudicating cases under our states Unemployment Compensation Law. Under HIPAA ,are employers, which have medical information about a former employee, prevented from presenting this information in an appeals hearing regarding that employees reason for separation, without the former employers permission?
The information provided in this question is very limited but I will attempt to answer with that in mind. First of all HIPAA regulations apply for covered entities only. A business associate of a covered entity is tied to that covered entity if a business associate contract is involved but the business associate is not held liable under the HIPAA regulations. So the first question is whether or not the employer is considered a covered entity.

HIPAA requires "covered entities" to protect certain categories of information that qualify as "protected health information" under its provisions. The HIPAA regulations state that individually identifiable health information in employment records held by a covered entity in its role as an employer is not "protected health information." (45 C.F.R. §164.501). The HHS explains it this way:

Medical information needed for an employer to carry out its obligations under the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and similar laws, as well as the files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer. 67 Fed. Reg. 53, 192 (Aug. 14, 2002).

This type of medical information is a necessary part of the employer's official function, and the law permits employers to collect and maintain it. It is not HIPAA-protected, BUT is still subject to state laws on privacy! It should be treated as confidential information.

A follow-up question: If the employer is a hospital and contracts with an organization to provide employee assistance programs for their employees, including treatment for substance abuse, are the records of collection, chain of custody, and methodology of testing of urine, blood, and hair samples, and the test results protected health information that the employer would be liable under the act if given as evidence in an appeals hearing with out the former employees permission?
According to the information, I am assuming that all of the health information you are referencing is part of the employment records maintained by the covered entity in its role as an employer and therefore is not considered PHI. Now if this information is gained by accessing the employee's medical record found in the hospital, the testing of urine, blood, and hair samples, and the test results are considered PHI and can not be disclosed. But I am guessing that this information has been maintained by the HR Department in conjunction with an agreed upon drug screen program and therefore is not considered PHI. (Posted 10/15/03)

We have a dental practice that treats families. Our question is when a parent brings in a child that is a new patient and signs an Notice of Privacy Practices form on behalf of their child and then comes in a few days later with another one of their children who is also a new patient-does the parent need to sign a separate NPP form for that child as well or can the first form that they signed be designated for all of their children ?? You can certainly provide one copy of the NPP for each family and ask that they sign receipt and apply to all of their children so that you may enter this in your database or place copies in each of the charts. If this is the form you are referring to, the idea is that the individual and in this case that is the parent understands your policies in regards to use and disclosure of protected health information as well as their rights in regards to this information. Therefore one NPP receipt applied to all of the children's records should be sufficient but make sure the parent understands that you will be including this in each of those records. (Posted 10/15/03)

We are a long term care facility and we have held open meetings for the families of patients where names of our residents may be used by family members. Are we or would we be out of compliance in an open forum like this? What would you recommend to solve this question?
The intent of the HIPAA regulation is not to hamper patient treatment or those related activities. It sounds like family night is important for the patients as well as their families. My suggestion is that this practice along with other practices similar to this be included in your notice of privacy practices (NPP). This way patients and their families will be aware of the process as well as the limited amount of PHI that may be shared during these meetings. You should also take every step possible to limit the information shared during this program. (Posted 10/15/03)

We are a pediatrics clinic and we occasionally have "coloring contests" and display the pictures on our hallway bulletin board with the child's name and age displayed. Also, we occasionally display halloween "pumpkins" with the child's name signifying contribution to March of Dimes, etc. Is this considered disclosure of PHI - do we need the parent's authorization - or should we cease these activities?
The intent of HIPAA is not to hamper activities of providers but to protect PHI. The coloring contests and bulletin boards probably help your little patients feel more comfortable and secure and therefore should not be dismissed. One of the original guiding principles of the HIPAA regulation is to provide privacy and security for PHI so that patients are comfortable with sharing this information to healthcare providers and therefore communicating in a way that will best serve their treatment, etc. With regards to the pictures, you should be aware that some patient's families may not want this information (full names) to be public for reasons they may have. You should adopt a few new practices in regards to this issue: Use first names only on the artwork Discuss the artwork in a brief statement in your Notice of Privacy Practices as a practice of your office Provide the opportunity to your patients (PARENTS) to opt out of this process if they object to the first name of their child appearing in public I doubt that you will have many issues with this practice but it is always better to inform individuals up front and provide a process for opting out if they so desire. (Posted 10/15/03)

My mother in law recently received a letter from her attorney in which he specifically cites the new HIPAA laws and how they affect the release of information to family members. In his letter, he points out that "Many of you have already signed HIPAA release forms at your doctor's office, pharmacy, or hospital. These releases are for your Health Insurance Company and Medicare and authorize the release of information to them. They do not release information to your family or agents."

He has offered to provide a form at a cost of $125 for the initial authorization (e.g. family member 1) and $50 for each member after that.

My question is this: Can this be done with her provider? Would it be acceptable under the HIPAA regulations to sign an authorization with her physician and hospital to release medical information to selected family members? Is it necessary to work through an attorney to accomplish this?
I have reread this email several times as I am not believing what I am seeing. There are many items of misinformation in this email. I am assuming from this email that these are the facts as you see them and therefore I am responding to those items. I caution you that this may constitute a situation purely on miscommunication between the attorney's office and your mother-in-law and you should first gain clarification of this letter. I would like to simply provide you with some clarification on the items of HIPAA which you are addressing.

  • HIPAA does not in the final rule require a release form for treatment, payment, or health care operations
  • HIPAA does require organizations such as the " doctor's office, pharmacy, or hospital" referenced in your letter to provide the Notice of Privacy Practices (NPP) of individual organizations to their patients and with that these organizations must make a good faith effort to obtain a written acknowledgment of receipt of the NPP. This is probably the document the law firm is discussing in reference to a "HIPAA document"
  • You may also be asked to sign a release for your Health Insurance Company and Medicare but this is not a HIPAA mandate and is not necessary under the HIPAA guidelines
  • The NPP of each organization will define how they use and disclose your PHI and in many cases will note that personal representatives such as family members may be included. You as a patient have the right to include or exclude any individuals in this release of information and you should follow the process of that individual organization
  • It is not necessary to work through an attorney for this process unless the individual (patient) does not want to include the family and there are extenuating circumstances such as legal implications or guardianship that must be addressed (Posted 10/15/03)

I have an associate who believes that his mother may have Alzheimer's disease. However, this associate's mother requested that her doctors not give out any information to anyone concerning her condition, including her family. He is extremely worried about her. What does he need to do to find out what his mother's condition is?
Patients do have a right to request that their information be restricted from certain individuals. With that said, it is also important to note that HIPAA is informing providers such as a physician that if they feel this is not in the best interest of that patient, they are free to supercede this restrictions in an emergency situation. I am sure neither you nor I have all the facts in this case and therefore, I suggest your associate contact the physician office and request a family meeting to discuss what is in the best interest for the patient. If the physician feels it is important to follow his patient's restrictions and the associate feels otherwise, this will then need to be taken up with an attorney. Communication is certainly the key here. (Posted 10/15/03)

We are a residential substance abuse treatment facility located in Vermont. Often, our clients/residents come to us either from a correctional facility or at the recommendation of a probation officer. My questions regarding patient privacy are:
1. before the client enters treatment we may receive a faxed signed consent for release of information form between our organization and the probation officer. The person enters our facility and then notifies our staff that s/he wishes to revoke the consent. Can we revoke a consent that we did not sign, but were the recipient of? Can we then tell the P.O. that the consent has been revoked?
2. we use a separate consent form for each 'part' of the department of corrections and their affiliates: the court, public defender's office, probation officer, facility case worker, etc. We are aware of a large organization that uses one consent form for all the above. This would be a great time and paper saver, but we are not certain that this is allowed under HIPAA.
From reading your email I am not 100% sure of your status in regards to a HIPAA covered entity. Therefore, I submit this test for you to apply first regarding your status: Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

In regards to the consent/authorization which is signed with the correctional institute, you should definitely notify that agency/ P.O. or whomever is the designate regarding revoking that consent as this was the originator of the consent.

I believe you are referencing an authorization form in your second question and yes you may use a single form but must stipulate the intended use, recipient of the information, dates, etc. as noted in the guidelines. There are some exceptions concerning multiple use noted in the regulations. The form could have fill in the blank information and also note all departments but the actual agency or department must be addressed by some method. (Posted 10/15/03)

On page 9 of your Privacy FAQs you stated that “The acknowledgement of receipt of the NPP needs to be obtained once unless the NPP has been changed.”   It also states “The new NPP must then be distributed immediately.”  In training, I was told that only if we make material changes to the NPP do we need to distribute it and that as long as the most current NPP is on our website we do not need to re-distribute.  Also that we do not need to get another signed acknowledgement. Please advise. 
This is one of those confusing topics in the HIPAA Privacy Rule. The NPP must first of all contain a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice [164.520(b)(1)(v)(C)] Therefore, you do have a little say in this area but remember you must disclose this in your NPP. Therefore you may elect to post the revised notice and have available new copies of this notice with a notification as they enter your system that a change is in place.

Furthermore, the covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. [164.520(b)(3)]

And as a covered health care provider that has a direct treatment relationship with an individual, you must whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section. [164.520(c)(2)(iv)] This applies to posting the notice, revising the website posting, and having a copy of the notice available upon request.

In regards to the signed acknowledgement the regulation does not note specifically that you must get a new signature. However, it makes good business sense that when you make a material change and you are providing this information to an individual, you would document that the individual has received this new document or has knowledge of the changes. An acknowledgement signature would surely provide this proof. (Posted 10/15/03)

I work in a busy hospital ambulatory procedure department. Our waiting room is directly across from the nurse's station, and discussions about patient care can be overheard in the waiting room quite easily, even when voices are kept low. Because facilities are not required to make structural changes, other than cautioning the staff and doctors, does anything else need to be done?
I can certainly understand your dilemma concerning architectural changes but you can reasonably separate this area by using glass or Plexiglas partitions creating a sound barrier. This falls under a reasonable change in order to protect PHI and will be well worth that small investment. You can also create a sound diversion with the use of televisions or music in the waiting room. This creates noise in that area which keeps conversations from being easily overheard. You may also position the chairs in the waiting area as far away from the nurse's station as possible and turn them so that their back is to your area as well as turning your chairs and conversation away from the waiting room. By using head sets for telephones, you can speak in a lower tone and be easily heard by the caller on the phone but not by those in the waiting area. And always remember to keep the information about patients and identifiers to a minimum if at all. (Posted 10/15/03)

How can I find out more information on requirements for patient record retention. Is it true that records must be kept for the life of the patient??
To answer this question, you must look to the different standards available to health organizations.

HIPAA speaks of a 6 year retention for Privacy policies and procedures, accounting of disclosures, etc. The actual medical record retention is governed by federal health record requirements outlining record retention. Each state also has its own separate retention standards and regulations. And accreditation agencies may also have their own retention standards requirements.

You can also look to the American Health Information Management Association (AHIMA) for guidance on this topic. (Posted 9/8/03)

I would like a definition for "individually identifiable information".
Individually Identifiable Health Information (IIHI) is information that is a subset of health information, including demographic information collected from an individual.

This is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. In other words it is the information that can actually link a patient to health information.

IIHI can actually identify an individual or provide a reasonable basis for identifying the individual.

The list of identifiers can be found in section 164.514 of the Standard. (Posted 9/8/03)

Is there is a limit to how much can be charged per page or per hour to prepare a patients request for health information?
The regulations do not stipulate a dollar amount for preparing a patient's request for information. Although it is noted in the regulations what can be included in these fees and that this fee must be reasonable. Therefore, with that in mind you should be prepared to defend the fee which you charge in reference to reasonable. (Posted 7/10/03)

I work for a small company that has business associate agreements with the physicians and facilities, we offer new technology in the marketplace, we are running into a problem in getting the insurance companies to verify patient eligibility and benefits, even though we have signed contracts in place. We do all the billing and negotiation of the claim prior as usually we are billing for an unlisted CPT code that currently has no designation. What do I do to overcome the challenges of getting benefits from the insurance companies?
This is a difficult question to answer without more information such as what your Business Associate Agreement actually states. However, I suggest you develop a list of all information that is absolutely necessary to perform your job regarding obtaining benefits information. HIPAA states that you must pay attention to the minimum necessary information needed to perform this task. Once you have developed this list work with the providers to attain only that information. This will show your Business Associates that you are well aware of the HIPAA guidelines but need certain designated information to perform the task necessary for health care operations. (Posted 7/10/03)

Where should the charts be kept when the patient  is to be seen and is in the exam room? Should they be in the room, outside on the door, outside the door on the wall? Or somewhere else?
I’m assuming that you are speaking of the individual’s specific chart and if so there are no direct HIPAA regulations regarding this practice. You should follow the practice of your office, which you believe is the safest. If you do put charts outside on the door or on the wall, be sure to have the name concealed if at all possible by turning the chart inward with the name to the wall or door. You may also use a deep sleeve that will conceal the name from the public or other patients who may be in the hallway. A good rule of thumb to follow is to imagine your name on that chart or other item and protect it, as you would wish your information protected. (Posted 7/10/03)

I am looking to get an answer for the following concern of ours: Do we have to take off resident's name from the doors, how about the working folders on the unit?
HIPAA does not specifically stipulate answers to your questions but places reasonable options in your hands. If there is a secure way in which to handle these issues and thereby provide privacy for the patients, you should take those reasonable steps. You should also document your actions by placing this information in a policy and procedure and in some cases the Notice of Privacy Practices. My suggestion to you is that you take a look at all of the protected health information (PHI) which is in the public's view and place your name on that information. Would you want your PHI protected in a different manner? Is there someone or some institutions that you would not want to see this information? Remember, your organization must comply with HIPAA to the best of its ability and document these efforts.  (Posted 6/19/03)

What are the limits specified in the act for release of medical information to family members who are inquiring about a hospitalized individual? Is there a difference if there is a medical power of attorney form on file?
The act essentially puts the onus upon the patient and the provider to release information to family and friends involved in the care of the patient.

What many providers are doing involve getting a listing from the patient during registration of who a designated contact person or two will be. If this is done verbally, it is documented at the time of instruction. The notation is then consulted whenever inquiries are made of the provider for information on the patient.

It is understandable that this is causing a lot of agitation for family members. However, providers have taken it upon themselves as a precaution to avoid disclosure to the "wrong person".  (Posted 6/19/03)

As a health care provider, what do we do if a patient refuses to sign any HIPAA forms of consent or authorization? Can we still treat the patient and what are our boundaries?
In general, treatment cannot be conditioned upon the patient signing an authorization. In the Privacy Guidance issued by OCR on December 3, 2002, clarifications were made on the difference between authorization and consents.

HIPAA is concerned with the disclosure of protected health information, thus such information may not be disclosed without the authorization of the patient. If the patient refuses to sign this authorization, in most cases, treatment cannot be withheld.

The consent provision was taken out of HIPAA. The consent for treatment is voluntary under HIPAA privacy guidelines. According to the Guidance, “covered entities that institute consents for treatment have complete discretion to design a process that suits their needs”. You could withhold treatment without the signed consent for treatment if you so choose. It is important to document in all cases when this occurs in case of any disputes that may result.  (Posted 6/19/03)

Are old records that have been copied and sent from other providers considered a part of our medical record? When complying with a request for records, are we allowed to also copy those other records or not? It would seem that once we receive them and they are a part of our chart, then they become "our" records and should be included when records are requested. There is a great deal of confusion regarding this issue.
Your question is another in an ongoing debate in the industry. There are those that will not release this information, claiming that information received from a third party does not fall into the "Designated Record Set" for release of information as described by HIPAA. Still, there are those who believe that once the record is incorporated into a patient's record, it's fair game.

It actually goes to the state level in some cases to be decided. I am not familiar with your state's laws and I would check the pre-emption language (state more stringent than HIPAA) regarding this. Absent that, I would contact legal counsel for an opinion. We cannot and will not offer legal opinions.

I can tell you, however, that the majority of the providers that I personally have talked to are including records that were received for the direct treatment of a patient to be a part of the patient's medical record. Once again, this is not a legal opinion. You must be comfortable in defending any decision you make in this regard. Please ask legal counsel. (Posted 6/19/03)

I work in an acute care facility and would like to know if it is a HIPAA violation to allow allergy stickers to be placed on the front of inpatient binders. Some of the stickers list the specific allergens and some simply alert the physician to the existence of an allergy. The patient's name is on the spine of the binder. I do have some physicians complaining about this practice as well. They prefer that the name be placed on the front of the binder with allergy stickers. What is allowed under HIPAA for both of these situations? What about other condition alert stickers, such as....diabetes, transplant status, etc.?
The key to HIPAA is not in the stickers themselves, but how, overall, the patient records are being protected. Can the average visitor/non-medical staffer access the file? Is the file left out and unsecured?

The reasonable protection of confidential patient information is the key to HIPAA compliance. If the chart is properly secured, the stickers are not an issue. (Posted 6/12/03)

I'm the Advisor for a hospital sponsored organization, Senior Friends. Senior Friends is a national organization sponsored by Hospital Corporation of America with our local chapter being sponsored by our local Medical Center. Senior Friends and the hospital has sponsored health fairs in the past, such as stroke screenings, blood pressure, etc. and have considered even lipid screens (blood tests). Our concern is that under the new regulations, are we responsible for maintaining medical records for people who might attend a health fair or expo where screenings are set up or if we have simple blood pressure checks in our office? Health Fairs are currently on hold throughout our facilities until we have clear instruction as to how HIPAA regulations relate to these events.
In several contacts with the Office of Civil Rights (OCR) and with peers, this has been and continues to be a gray area of the HIPAA regulations. If you are collecting, storing and maintaining protected health information (PHI), you are most likely required to provide a Notice of Privacy Practices (NPP) document outlining your organization's privacy policies. If you are not collecting, storing and maintaining protected health information, you would not be required to provide NPP's or any other privacy-related documentation.

OCR has yet to address this issue through any type of guidance as of this writing. They are aware of the many questions about the health fair events and the potential HIPAA impacts.

One further question would be on the route you take when "sub-optimal" results are reported back to the patient. Is any record of that kept by your organization? If so, you would most likely be impacted by HIPAA privacy. (Posted 6/12/03)

Please define what constitutes a "public" workstation. I work in an accounting office for a national dialysis clinic. Our Accounts Receivable Department handles the accounts for over 250 dialysis clinics located throughout the United States. The general public, including patients, do not have access to our office. We deal strictly with the clinics themselves and this is done by the computer, fax, snail mail and phone. The only people present in our work area are our employees all of whom have signed a confidentiality oath.

Thank you for clarifying this term...."public" workstation for me and my co-workers.
The definition of public workstation goes beyond the general public’s access. While “public” generally refers to this group of persons, HIPAA also touches on minimum necessary access and need to know provisions.

If each employee in the clinic has the same access rights (and they probably should not), then there probably would not be a large issue. The issue, however, is with different employees needing different levels of access to do their jobs and workstations being left unsecured. If person A, for example, is a billing person and leaves his/her workstation with a screen visible, and person B can walk up and see information he should not see, this could be considered to be a breach of privacy.

The key is securing workstations by logging off after non-use, logging off when leaving the workstation, and not keeping screens in general view of those who don’t need the information to do their jobs. (Posted 6/12/03)

My question concerns radio transmissions between ambulance corps, police dispatch and the hospital. Since many people have scanners, is it still acceptable for the police dispatch to give the nature of the call and the call location over the radio? And can the ambulance crew relay this information and patient condition to the hospital over the radio?
In the Privacy Guidance from OCR, the following question was asked: "Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?"

Answer: No, the Privacy Rule does not require these types of structural changes be made to facilities.

Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.

For example, the Privacy Rule does not require the following types of structural or systems changes:

  • Private rooms.
  • Soundproofing of rooms.
  • Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners.
  • Encryption of telephone systems.

Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.

The key is reasonability. If you are making every effort in this case, you should be in compliance. (Posted 6/12/03)

I work in the health insurance industry and a recent article in the Dallas Newspaper caught my attention. Per the article, churches and other religious organizations are bound by HIPAA. This goes against what I knew/understood to be the case. Can you confirm my understanding or elaborate on the limitations placed on Churches in regards to announcing/praying for the sick?
The limitations on the clergy itself are not all that strict. The clergy is not a covered entity for HIPAA purposes. The onus is on the facility to make available to opt-out for the directory and clergy notification. If this is completed and the patient is a "no-list" for clergy, and the facility follows the instructions, the only disclosures at that point would be incidental disclosures. That is, if a clergy member walks through the hospital and sees John Doe in the room, this would be incidental.

Nothing legislatively covers the clergy member from going back to the pulpit and making the announcement that you are in the hospital. Many facilities, however, are training clergy members in the ways of privacy. They are letting the clergy know that some patients want their privacy and don't want the church to know. This is more of an ethical issue that many clergy are reacting positively to. (Posted 6/12/03)

Is it a violation of HIPAA for a doctors office to leave a message on a patients home answering machine confirming an doctors appointment and also stating the nature of the visit? My doctor left a message confirming an appointment for an exam and the message was played back by my parents since I wasn't home yet. Is this a violation of my privacy?
The following is from the Guidance on HIPAA Privacy, provided by the Office of Civil Rights (December, 2002):

Q: May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?

A: Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

So, unless you have specifically requested that confidential communications be used, the provider did not violate your privacy in this instance. (Posted 6/5/03)

Please let me know if a case number from IP is considered PHI alone or does it need to be attached to a member name, DOB or something else before it would be password protected.
If that case number can in any way identify a patient, it is considered PHI. Therefore, it is difficult to answer your question without knowing this information. A good rule of thumb is to simply ask yourself if you could trace a potential identifier back to a patient and if so, you can be assured that that number, date, name, etc. is considered an identifier. (Posted 6/5/03)

I recently went to a doctors office to get some personal tests run... I was very adamant and concise about how they were to contact me... no phone calls to my office or my home...none...I clearly stated, not only verbally but on my admissions, that they were to contact me via email only...

Then they called me at my office telling the receptionist that MY DOCTOR called and wanted me to call back...

I work in a small office that has my MD's as clients but I purposely chose an outside MD for privacy you may well know small offices tend to gossip and enjoy other people's business...

First of call should have been made, but if a call must be made they should not have stated they are MY DOCTOR...just hang up and call back...

What are the regs on this?
This question is indeed one of the reasons for the HIPAA privacy legislation. Our health information is very private to us and should be kept private by those who have been given this privilege. HIPAA clearly states that individuals have a right to request confidential communications and that covered entities must abide by that request. Therefore, this provider has violated your privacy and the HIPAA privacy regulation. I suggest that you contact the provider and ask to speak with the privacy officer and report this breach. Every entity covered by HIPAA must have a Privacy Officer. You may also report this breach to the Secretary of the Department of Health and Human Services (DHHS). All complaints to Secretary Tommy Thompson must be made in writing, be made within 180 days of the actual act requiring a complaint and must name the entity and subject of the complaint. The provider must supply you with this process. My suggestion is to work directly with your provider to clear up this breach and prevent additional breaches. If the issue is unresolved you may need to take the next step. (Posted 6/5/03)

I am a consultant to Long Term Care Facilities. I have a question about the accounting of disclosure to state agencies. I believe the state surveyors can access the records and we do not have to log their review of the records in the accounting of disclosure because this is part of health care operations. My question is, does this apply to the nurse who investigates complaints of abuse and neglect? This is not the usual health care operation and would fall under public health authority or health oversight and should be logged.
You are correct, the nurse investigating a complaint of abuse and neglect must log this disclosure in the accounting of disclosures. Although, it is permissable to share this information without written authorization from the patient. (Posted 6/5/03)

I work in an ambulatory surgery center. When we call our patients for follow-up after their surgery, is it acceptable to leave more information than just our facility name and nurse’s name with a request to call us back? Our patients get confused about who is calling, and why, even though we inform them before discharge that a nurse will be calling to check up on them. If we have this information in writing on the discharge instructions, and the responsible party signs the instructions, are we covered under HIPAA? Specifically, is it alright to say that we are calling to check up on the patient if we get an answering machine?
Your question concerning information is a good one but one that is difficult to answer with one simple answer. In many cases, the information you are giving may be just fine but in some cases it may not and this may set up a harmful situation. Therefore, the best way to handle the situation is to place how you communicate with patients in your Notice of Privacy Practices. This should be very detailed. If patients request a different method of communication, you must clearly record this request, disseminate it to all who may be involved and abide by the request. (Posted 6/5/03)

In our waiting room we have a bulletin board that parents place their children's pictures on. There are no names given on the board. Is this in HIPAA compliance or not?
Under the rules of HIPAA, a picture is considered to be identifiable information. However, since you indicated that the parents place the pictures there, that implies that the parent is authorizing disclosure of the identifiable information. If you want to be within the letter of the law, get a signed authorization from the parent. This will guard against any question that could be raised.(Posted 5/29/03)

I am a police officer for a medium sized municipality and I am wondering about our status under the HIPAA regulations. As a first responder to violent crimes, all severity's of vehicle crashes and other related items I was wondering if as a part of our investigation of crime are we allowed to collect basic medical information from EMS providers to investigate a crime. For example a colleague of mine responded to a hit skip vehicle crash where a pedestrian was struck by a car that fled the scene and our local fire department paramedic squad also responded to the scene. As a part of his investigation the police officer asked the paramedics the victims severity of injuries, which is required information on the traffic crash report and for any criminal investigation that would follow. He was told by the paramedics that they would be in violation of HIPAA to divulge any information on the victim. I found this to be incredibly ridiculous as the information that the officer was asking did not concern any of the victims medical history or treatment being received but important information that would be needed to solve a crime. Are the paramedics in my city right in their interpretation of the HIPAA standards and regulations or are we, as first responders to scenes, entitled to receive the basic information for protection of the victims rights and to solve crimes? What information are we allowed to expect to receive from EMS units that respond to crime and vehicle crash scenes?
You are correct it is not HIPAA's intent to hamper your investigation. Protecting privacy of health information is a prime objective but other valuable protections for individuals should not be placed in jeopardy. You can refer to, and also refer the paramedic to, section 164.512(f) in the HIPAA Privacy Standards. This entire section speaks to the disclosures for law enforcement purposes that do not require an authorization. You can find this document at this link: . By carefully reading this entire section, you will see the many instances where law enforcement agencies may gain access to information necessary to perform their jobs.( Posted 5/29/03)

Would you have an example of a Disclosure Log?
Accounting of Disclosures must be tracked and the documentation should include date of disclosure, recipient of information, what was sent, and the purpose of the disclosure. You should also track requests that a patient or client makes for an accounting and this should contain the patient’s name, date of request, date satisfied or denied, and details of request or denial. A simple electronic solution provides the best option for tracking this vital information. Beacon Partners has developed a simple solution, please contact us for further information on this product. (Posted 5/29/03)

I work in a Doctor's office. If a patient wants to change their primary doctor to the doctor I work for I send a signed consent for release. What has to be done on this form to be HIPAA compliant?
Nothing-special needs added to this form for HIPAA. HIPAA does not require a consent or authorization for treatment, payment, or health care operations. This falls under treatment and therefore the exchange of information is okayed by the patient’s request as covered in your original consent. (Posted 5/29/03)

The surgeon and ambulatory surgical center for whom I work are affiliated entities by ownership, etc and we have declared as such. They are two separate corporations each with their own tax id numbers. Therefore, we have one privacy notice for both entities. We are only filing the notice of receipt in the physicians chart. I am wondering if I need to file a photocopy in the surgery center chart of the mutual patient.
Yes, you should file the receipt of NPP in both places. Therefore if the patient presents at the surgery center you may know whether or not this requirement has been satisfied, if not the NPP must be offered at this time and then filed in both places. (Posted 5/29/03)

I work for an audiology-based company. We provide our patients with hearing healthcare such as earwax removal, hearing evaluations, and hearing aids. When a hearing aid is sent out for repair, the patient's name is on the repair form and the manufacturer knows the patient's hearing loss, etc. This is considered PHI. Because we are a busy office, we ask all patient's when they come in to sign our Authorization to Disclose/Use form. I have two questions.

1. If a patient does not sign this authorization form, can we still see them and can we still treat them with hearing healthcare such as sending an aid out for repair?

2. At fairs, we bring out portable video otoscope which allows people to see the inside of their ears. This is done in front of people passing by. Is this ok? Do we need them to sign a form? Or is verbal consent good enough?
The work that you have described is for both treatment and healthcare operations, therefore you do not need a signed authorization to perform these functions. Although you may want to include this information in your NPP to alert your patients of how their information is used. (Posted 5/29/03)

I am a dentist. If I refer a patient to a specialist, do I need a "Business Associate Agreement" with that specialist to receive a report regarding the treatment or a copy of the treatment radiograph for the patient's record?
You do not need a Business Associate Agreement when referring or participating in a consultation. It is not HIPAA’s intent to hamper treatment, payment or health care operations. You should also include this information as part of your employee’s training so that all of your staff is operating from the same level of understanding.  (Posted 5/15/03)

Is there a certain format in terms of font, point size, etc for the patient privacy notice?
The Privacy Regulations contain many references to reasonability. This is another one. There is no specific guideline for font size, point, etc. It all comes down to reasonably being able to read it, both in size and in language. (Posted 5/15/03)

What do we need to show as proof of compliance? Is there a form and who do we send it to?
I am responding to your question about proof of compliance. Unfortunately, there is no "proof of compliance" form. The proof of HIPAA compliance will come during day to day operations. If you are a covered entity and you have followed the necessary steps toward HIPAA compliance, you should be able to avoid the complaint process which will test compliance.

If a patient or his/her representative feels that their privacy has been compromised, they will file a complaint with the Office of Civil Rights, which may initiate an investigation into your covered entity's HIPAA compliance. (Posted 5/15/03)

I am a premedical student at Cornell University, in my junior year of undergrad studies. I've been trying to arrange a shadowing (internship) with some local doctors, but they hesitate to take me on due to HIPAA's new regulations.

Do the new regulations restrict premedical (undergraduate) students like myself from shadowing/interning with doctors? While I definitely appreciate patient privacy concerns, how are we to gain experience in the medical field while complying with HIPAA's regulations?
The premed program could be considered a training program and therefore is permissible under HIPAA for PHI to be shared. It is not HIPAA”s intent to restrict education. This training must be done under supervision in order to practice or improve skills as health care or non-health care professionals. As a student you must follow the guidelines of that healthcare provider’s HIPAA policies and procedures. Students fall under the Healthcare operations umbrella which is referenced in the definitions section of the Privacy Regulations (164.501) (Posted 5/15/03)

I am looking for information on the HIPPA guidelines pertaining to mental health providers. Do you have a booklet we can obtain?
Unfortunately, we have no booklet available for this topic. Some things to note: First, depending on the state you are in, mental health guidelines for states are more strict than the HIPAA guidelines. In this case, the state regulations would preempt the HIPAA guidelines.

Generally, psychotherapy notes are given special protections, as long as they are not part of the employee's general medical record.

This is an area that is a little more complicated than the general HIPAA guidelines. There are many things to look at, including any notices of Privacy Practices, billing concerns, etc. (Posted 5/15/03)

I am a dental consultant located in the Denver area and am trying to find out if it is permissible for the dental office to post their daily schedule of patients by name only in the treatment areas, or would this be a HIPAA violation? Rationale: If a patient sign-in sheet is permissible at the reception area then it seems as if a daily schedule should be permissible to post as long as no medical information is on it.
The spirit of the HIPAA privacy regulations is to avoid, whenever possible, disclosure of PHI. The names of patients posted in an area that is accessable and viewable by the general patient population should be looked at with your specific organization and infrastructure in mind. If you can find a reasonable alternative, this would certainly be the better option. (Posted 5/15/03)

I would like to know about the HIPPA requirements for patient charts. Can you have the patients name on the front of the chart?
HIPAA is not so specific regarding patient charts. This is one of the many places HIPAA asks you to exercise the reasonable approach. If there is a reasonable approach that you may take to keep this information from the public’s view you should employ it. If charts are placed on doors, you could simply turn names to the door or use a holder that would cover the name. If charts can easily be seen from nurse’s station or reception desk, move them back away from view. I suggest that you put yourself in the patient’s place and see what they are seeing. Then attempt to find simple solutions that will make this opportunity to view other’s PHI more difficult. (Posted 5/15/03)

I am looking for specific examples of sanctions that would apply for violations from business associates or employees as it pertains to PHI. In the Privacy Manual it states that you need to have a set of guidelines in place for sanctions placed on non-compliance or violations.
The sanction provisions of HIPAA really relate to the employees of a covered entity. There are clauses to be included in Business Associate Agreements that would address contractual remedies that you could take in the event of a breach. There are many templates for Business Associate Agreements which are available, or you may want to talk with your Legal Counsel for more customized language.

As far as the Human Resources Sanction policies, it will vary on the types of disclosures and the disciplinary (sanctions) that will be taken against an employee. Many covered entities have, in their employee handbooks, a section about confidentiality, including examples of the types of data which is to be confidential, the access to particular data on a "need to know" basis, etc. Examples of violations might include accessing patient records not needed to do a person's job (i.e. looking up the medical records of a celebrity), talking with others who don't need to know, about a patient's case or care, etc.

Disciplinary action statements often include verbiage like "we will discipline violations up to and including immediate termination", or a like statement. If you have an existing disciplinary policy, it is often the case where HIPAA language is "baked into" the existing policy. (Posted 5/15/03)

I am an architect working on a renovation for a Massachusetts hospital. Part of the project involves a new reception area with two patient interview stations. Each station will have a counter and two side-walls that extend to six feet high. Can these sidewalls contain glass? The patients would be able to see each other, but not hear each other.
The HIPAA privacy regulations require a "reasonable" effort to protect against disclosure of protected health information to unauthorized parties. The following is not to be considered to be a legal opinion: The steps you have taken to protect the confidentiality of the patient are excellent and fulfill the requirements set forth in the regulations. The steps toward soundproofing the area in question are more than adequate.

You should tell the staff at the hospital to monitor other patients who might be trying to look over or through the glass and to make every effort to protect against this type of incidental disclosure. (Posted 5/15/03)

Our local news paper insists that we release the following information for the news paper report:

Patient Name, Point of pickup, Point of drop off, Reason for pick up, Date

I feel this must be in violation of HIPAA regulations, I am having trouble locating a document that will clearly state this is not acceptable practice. Is this against HIPAA regulations?
This is in regard to your question about the local Newspaper and their "insistence" that information is released, as noted.

Release of information to outside sources, including media, has always been an option for healthcare providers. For that reason, I am unclear about the question's reference to "insistence".

As far as HIPAA regulations, the patient has the option, as should be stated in your organization's Notice of Privacy Practices document, to opt out of having their Protected Health Information released to the media. Ultimately, the HIPAA regulations give the patient more control over their own Protected Health Information. (Posted 5/15/03)

For years we have taken a polaroid photo of children who do not have cavities after a hygiene appointment for display on our "No Cavity Club" board. Their name and the date of the exam are at the bottom of the photo. Is this an unacceptable practice according to HIPAA guidelines?
This is in response to your question regarding the "Children's NO Cavity Club". This type of club is very common and very popular. In fact, my own children happily take part!

The fact is, however, that the publishing (posting, in this case) of identifiable patient information, in this case a photo with a name and a date of service, requires an authorization from the patient. If the patient is a minor (in this case), the parent must give authorization. (Posted 5/15/03)

I would like to know how the new HIPAA standards relate to medical messaging services. We have been asked to swap confidentiality agreements with several of our medical accounts. Is there more we should be doing to be in compliance?
I am assuming from your question that you are business associate of these medical accounts. Therefore you are being asked to keep all protected health information private and secure. You should educate your employees on the HIPAA regulations, develop a policy concerning protecting privacy and apply sanctions if violations occur. (Posted 5/15/03)

1. Does the acknowledgement need to be signed on a yearly basis or just one time?

2. We are almost a paperless office. Do you have any suggestions or resources for us as to how to track which patients have filled out the form or who still needs to? We don't pull a chart for every patient at every visit.
The acknowledgement of receipt of the Notice of Privacy Practices needs to be obtained once unless the NPP has been changed. Make sure this acknowledgement is documented. The NPP will need to be changed, reflecting changes in your policies or practices, immediately after such changes. The new NPP must then be distributed immediately.

My suggestion for you in regards to tracking is to have this tied into your registration system. So that even if a chart is not pulled the acknowledgement of the NPP will be realized. (Posted 5/15/03)

1. Do we have to have a separate medical records release other than the one on the patient information sheet that states we can release records to the insurance co or other healthcare provider? It seems like we only need a separate one if the patient wants a copy of their record.

2. We are doing a training session next week and I want to be sure we cover the main points of HIPAA privacy (I know we will have time to go over the little things later). We will discuss patient reminders, charts being turned around in the exam room doors, talking quietly when referencing other patients, and of course the privacy contract itself. Are we leaving out any major points?
You do not need a signed authorization to release records for healthcare providers if they are involved in the individual’s care nor do you need a signed authorization for release to health plans. Although, remember you must abide by minimum necessary rules when releasing to a health plan. This is also a good addition to your training to discuss minimum necessary both internally and when releasing information. All of the items you mentioned are good but you must remember that it is also a HIPAA requirement to train on all of your policies and procedures. Therefore every HIPAA regulation requiring a policy and procedure such as the patient’s rights must be included in your training. (Posted 5/15/03)

In most states Rx bottles with patient information on its label are dumped into the trash. What procedure does the HIPAA regulations expect a drugstore to follow with regards to this practice?
This is a great question. Many times people forget the many places PHI exists outside of the paper documentation. I have a couple suggestions for you. Often these labels are easily stripped from a prescription bottle and in that case I suggest removing them and placing them in a locked shredding receptacle and then of course these items will be shredded with other paper documents. If they are not easily stripped, a permanent black marker will obliterate the information and protect privacy of PHI. (Posted 5/15/03)

How are you recommending we handle disposal of IV bags, etc that have labels on them containing PHI? Is it acceptable to throw them in the regular trash cans with regular trash? Or would this place the hospital at risk for not handling it properly?
This is a great question. Many times people forget the many places PHI exists outside of the paper documentation. I have a couple suggestions for you. Often these labels are easily stripped from the IV bag or bottle and in that case I suggest taking them off and placing them in a locked shredding receptacle and then of course these items will be shredded with other paper documents. If they are not easily stripped, a permanent black marker will obliterate the information and protect privacy of PHI.

If you use unidose medication systems, the same should be done with those labels. (Posted 5/15/03)

In our dental office the reception desk is open to the waiting area. One of the front desk person's duties is making referral calls to specialists (oral surgeons, endodontists, periodontists.) Will these phone calls be considered a violation of the Privacy Rule if it is possible for her end of the calls to be overheard by other patients in the waiting room?
HIPAA does not provide that level of detail. Therefore, I place myself in that position to assist with finding an answer. If the receptionist is calling to make a referral for a full mouth extraction of my teeth and gives this information out along with other PHI and identifiers and my neighbor is in the waiting area and overhears this information, I would definitely feel that my privacy was breached.

HIPAA does not expect that information will not be overheard but does expect reasonable efforts to prevent this type of privacy breach. There are several ways to avoid this issue. Televisions, radios, or piped in music can supply enough noise to distract from these conversations. The receptionist can also turn her face away from the waiting area which muffles the conversation. Phone sets help with these conversations as well. And finally a barrier such as a window or screen will also contain the conversations.

It is wise to make reasonable attempts to keep overheard conversations to a minimum. (Posted 5/15/03)

We are a medium sized general dental practice with approximately 2800 patient records. What is our requirement to safeguard the patient charts. Do they need to be locked within a filing cabinet or can they remain in our existing open chart shelves as long a physical barriers such as doors can be locked? Do we have purchase new filing cabinets which can be locked?
The regulations do not specify what type of measures that a practice needs to go to in regards to putting safeguards around your records. The regs do state that you must make a "reasonable" effort to protect any patient's PHI. So the question is, what is "reasonable".

In your case, if you have existing physical barriers, such as a locking door, or a closed off area that can be secured from unauthorized entry, then that seems to be a "reasonable effort". Just make sure that when you look at the area, determine if there are other means into the room besides the door.

Examples would be: windows that are not or can't be locked, drop ceilings tiles, multiple access points (entry ways) from other rooms.

Also, the privacy and security regulations should be looked at as a minimum or baseline level of security that you could always augment to, at sometime, to ensure another layer of security. Could you add that extra layer of security by buying locking cabinets? Yes, you could and then you have made a very strong "good faith" effort to ensure the PHI is secure. But again, keep in mind this is going a step beyond a baseline level of security.

So, in summary, assess your file room for the above mentioned access points, and determine if it can be secured thru a single or multiple methods. If it can, then you have made a "reasonable" effort. But, if you would choose to add another layer, such as the cabinets, you could do that as well. (Posted 5/15/03)

I need further clarification regarding privacy curtains. I work for a pediatric dentist who has chairs in an open bay area. Is he required by HIPAA to put up privacy curtains for treating children or does HIPAA make an exception for pediatrics?
HIPAA does not make any distinction for pediatrics, however, for this case, privacy curtains are not required, but encouraged. Any way that privacy can be expanded, should be so, but is not required.

However, if the set up of the room consistently allows open observation of other patients, then as a privacy concern, shouldn’t this be controlled by curtains or movable barriers such as walls or panels?

Anything you can do to provide privacy should be encouraged and implemented. (Posted 5/15/03)

I work for a neurology practice and have questions regarding patient's confidentiality. This office uses a sign in sheet that stays at the front desk. If the sign in sheet is left out where everyone can see it, does this mean that we are violating patient confidentiality?? Also when calling patient's back, we do not believe in calling patient's by a 1st name basis, does calling the patient back using either first or last name violate their rights??? Is it best to use a number system even though this is not personable????
Sign in sheets are totally acceptable per the guidelines issued this summer and last fall in support of the regulations. Still, if it is possible to use a different sign in sheet, and / or minimize the information on the sign in sheet, you will increase privacy of your patients.

Items to consider are:

How much information is requested on your sign in sheets?

What is the use of the sign in sheet, to keep track of patients, check times in and out? Then possibly a single piece of paper for each patient, with patient information transferred onto a master sheet during the day?

Calling names of patients is acceptable, using either first or last name. Some clinics or hospitals have gone to number systems, but how you give out information is the important thing.

At a STD clinic, you wouldn't want to announce, Joe Smith for his HIV test... But for your neurology practice, either name is acceptable. (Posted 5/15/03)

I am looking for information on storing and destroying files under the HIPAA guidelines. Specifically,

1. Before shredding or burning documents what is the documentation process?

2. Also, where can I get a copy of the HIPAA rules and regulations.? 3. What are the guidelines for storage of old x-ray and other imaging films?
Usually the healthcare hospitals / health plans we have worked for follow state guidelines on destruction documentation. HIPAA rules do not say that prior to destruction that information must be documented, but we always suggest that amounts of items to be destroyed, along with a proper policy and procedure (in conjunction to training your employees) be followed by your organization.

Some states require certain files to be kept for a longer period of time, and then you would follow those guidelines. HIPAA states that you will keep some information for 6 years, but it depends on the paper or electronic information. Destruction usually follows what your working arrangement with your recycle company or whomever destroys the information and they should give you a statement or certificate of destruction. Also, you will want some type of confidentiality agreement in the contract, that their employees will be careful of your information and it will be destroyed properly and in a timely manner. Other media, such as computer disks, x-ray, etc, can be destroyed when no longer needed. Storage will depend on state law and your own rules, besides treating it as patient health information (paper, x-rays, all of those kind of items) must be treated the same for confidentiality, storage and disposal.

Here is the location for Administrative Simplification and then obtaining the HIPAA rules: (Posted 5/15/03)

Can we have a copy of today schedule up where the patients might see it if it only contains the patients names not the treatment or reason for the visit?
Patient names are PHI, and if you can post the schedule where only employees can see it, this increases patient privacy. OCR has stated that it is acceptable to have sign-in sheets, limiting the information to the patients name, the medical problem and as little information as feasible. So, having a schedule with patients name is essentially the same thing, but keeping to the minimum allowed, then try not do not display the list in a conspicuous place, but place it where others do not see it. (Posted 5/15/03)

I am the office manager for 3 Family Nurse Practioners, my question relates to the postcards we send out to remind patients to schedule appointments. Can they be open or do they need to be a folded over type?
Postcards have very little privacy and many facilities are now using envelopes instead of postcards and of course a folded over postcard would ensure an added measure of privacy. However, it really matters on what your business is and what the postcard states on it. For instance, if you worked at an oncology clinic, a reminder to come into the clinic, could give too much information to the average person who happened to see your postcard.

As a Family Nurse Practitioner and in the area of reminding people to schedule appointments, I feel this is a very small risk and would use either the postcard or a fold-over postcard. Keep in mind that if you are reminding individuals to come in for an appointment for specific aliments, then I would ere on the side of privacy. Also, if the cost difference were small between an open postcard and a fold-over postcard, I would opt for a fold-over one. (Posted 5/15/03)

Faxing information to or from your office to a doctors office or insurance company is perfectly acceptable. The concern is when the information is being sent to another entity or organization outside of a known business arrangement. Either the patient health information must be with a signed release, or the information is being shared among business associates / partners.

Try to limit any disclosures by sending any patient health information to a known location. The person sending the PHI should know where it is going and that someone is available to secure that information by directly receiving it or it is in an area away from public access and viewing. (Posted 5/15/03)

Recently, we received a request from a nationwide workers comp administrator trying to determine if a patient had any medical records in existence in our clinic. Our response was that we are HIPAA compliant and that we would need the patient's written authorization to consider their request. The administrator's customer service rep. indicated that workers comp is exempt from that rule. Is this true?
In answer to your question, for the most part, Workers Compensation is "mostly exempt" from HIPAA Privacy regulations. There are limitations. The following is taken from the final HIPAA Privacy rule Guidance:

The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except that they may otherwise be covered entities. According to the Privacy Rule, these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. This healthcare information is normally obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule addresses the need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways.

Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:

As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.

To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).

For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

Disclosures With Individual Authorization. In addition, covered entities may disclose protected health information to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has provided his or her authorization for the release of the information to the entity. The authorization must contain the elements and otherwise meet the requirements specified at 45 CFR 164.508.

Minimum Necessary. Covered entities are required reasonably to limit the amount of protected health information disclosed under 45 CFR 164.512(l) to the minimum necessary to accomplish the workers’ compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law.

In addition, covered entities are required reasonably to limit the amount of protected health information disclosed for payment purposes to the minimum necessary. Covered entities are permitted to disclose the amount and types of protected health information that are necessary to obtain payment for health care provided to an injured or ill worker.

Where a covered entity routinely makes disclosures for workers’ compensation purposes under 45 CFR 164.512(l) or for payment purposes, the covered entity may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of protected health information to be disclosed for such purposes.

Where protected health information is requested by a State workers’ compensation or other public official, covered entities are permitted to reasonably rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

Covered entities are not required to make a minimum necessary determination when disclosing protected health information as required by State or other law, or pursuant to the individual’s authorization. See 45 CFR 164.502(b). (Posted 5/15/03)

I am the new Privacy Officer for our Ophthamology practice. Our question is from our billing office. Most of our patients are elderly and have family members taking care of their finances. Is it safe to assume we can disclose the information given we use our identifiers?
I am slightly confused about the reference to identifiers. This is a different area of HIPAA compliance and really doesn’t relate to the family member taking care of finances.

There are varying opinions on your question. My answer should not be construed as a legal opinion. We are not giving a legal opinion in this matter.

My feeling is that your situation would dictate the receipt of an authorization from the patient to allow “family and friends” to participate in the patient’s care and the handling of his or her affairs. Unless the patient has been deemed to be incompetent, an authorization should be given by the patient. (Posted 5/15/03)

I work in a health care environment and our employer educated us well on the the new HIPAA rules that went into effect a few weeks ago, but one thing I don't understand is why the Pastor of our church would tell the congregation that it will no longer be able to continue a prayer chain for those in need of healing or post names of those ill or hospitalized in our newsletter to be prayed for? I understand that Pastor can not call the hospital and request names or information about members but if a member is in the hospital and would like the congregation to pray for them why can't their name be mentioned during the service or printed in the bulletin to be prayed for?

Is someone over re-acting? Or is there a rule that states this can not happen?
There are no specific rules regarding Pastoral care, other than the option of the patient to “opt out” from letting clergy know about their healthcare condition. Many hospitals and healthcare providers are working on the side of caution when dealing with Clergy. Some healthcare providers are training their staffs and their Clergy (not generally part of the paid hospital/healthcare staff) that no information may be given at any time.

Understandably, people want to know when people are ill, hospitalized, etc. It’s always a good practice to ask a patient or his/her family if they would mind if an announcement is made or if they are added to the prayer chain. (Posted 5/15/03)