The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI). Many of the applications of the Privacy Rule are simply common sense. Others are somewhat more complex and afford the patient a great deal of flexibility in accessing the content of their medical record and how that content (PHI) is used. As well, the Privacy Rule enables the patient to control the disclosure of their PHI to certain entities.
With few exceptions, PHI includes Individually Identifiable Health Information (IIHI) held or disclosed by a practice regardless of how it is communicated (e.g., electronically, verbally, or written).
Any health information (including demographic information) that is collected from the patient or created or received by a healthcare provider or other covered entity or employer that relates to 1) the past, present or future physical or mental health or condition of an individual; 2) the provision of healthcare; or 3) the past, present or future payment for the provision of healthcare at your practice; when this information could potentially identify an individual.
For purposes of the HIPAA Privacy Rule, “covered entities” are health plans, health care clearinghouses and health care providers that transmit health information in electronic form as part of a transaction covered by the HIPAA electronic transaction standards. A HIPAA electronic transaction is the electronic transmission of information between two parties to carry out the financial or administrative activities related to health care, including but not limited to: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; eligibility for a health plan; and referral certification and authorization.
A business associate is a person or entity that is not a member of a medical practice’s workforce, but who uses or discloses PHI maintained by the practice to carry out functions or activities for or on behalf of the medical practice or other covered entity. The starting point to determine who your business associates are is to examine your general ledger and see who you write checks to every month. This is usually a good indicator of who may have access to your practice’s PHI.
No, a business associate agreement is not necessary. However, for purposes of the Privacy Rule the locums tenens physician is considered to be a member of your practice’s workforce and therefore he/she must receive the same privacy training as other providers and staff in the medical practice. The agency that placed or provided the locums tenens is not a business associate because they do not have access to PHI.
All existing members of a covered entity’s workforce are required to receive training on the Privacy Rule, both at the outset of employment and periodically thereafter. It is recommended that this training be incorporated into the practice’s new employee orientation program.
Limit the information left on a voicemail to simply the name and phone number of the person to return the phone call to. Avoid leaving lab and test results and any financial information on a voicemail.
Yes, it is acceptable to still use the name and address of your practice on an envelope. In some sensitive situations (oncology, infectious disease) you might consider the recommendation to use a post office box as a return address and remove the name of the practice in order to better protect patients’ privacy; however, it remains important to ensure that information reaches patients, so such actions should be reserved for very sensitive situations. Additionally, the patient has the right to request that he/she be contacted at an alternative location (e.g., at work) or via alternative means (e.g., via telephone); therefore, if the patient is truly concerned about the manner in which he/she receives sensitive information from your practice, he/she may request a reasonable alternative. For those practices who send out appointment reminder post cards, the recommendation is that you use a fold-over postcard in order to better protect patient’s confidentiality.
The form signed by the patient above does not meet HIPAA requirements. You may use the form supplied by the insurance company or patient only if contains all of the elements required by HIPAA for a valid authorization form. If not, you should require the patient to sign the practice’s standard form. The nine authorization elements required by the Privacy Rule are:
You may utilize the third party’s authorization form as long as it contains the elements required by the Privacy Rule.
Yes, protected health information is disclosed to an employer on behalf of a patient for reasons related to Family Medical Leave Act, such as for pregnancy, an authorization signed by the patient must be obtained by the Practice prior to disclosing such information to the employer. However, no authorization is required if the disclosure to the Employer under the FMLA is required by law.
If information about a patient is being disclosed to a third party such as an employer for reasons other than for treatment, payment or operations (TPO), a signed authorization is required from the patient prior to disclosing that information. In the case of disability insurance, when disclosing information to the employer or to the disability insurer, then the practice must obtain a signed authorization from the patient.
In general, you cannot condition treatment upon receipt of a signed authorization form. For example, if a medical practice presents an authorization form to a patient for signature authorizing the practice to utilize that patient’s information for research purposes, and the patient refuses to sign it, the practice cannot refuse to treat the patient. However, if the patient is to receive treatment in connection with the research and he/she refuses to sign the authorization, the treatment may be denied. Also, if the treatment is requested solely for the purpose of disclosure such information to a third party (e.g., occupational drug testing), and the individual refuses to sign the authorization, the treatment may be denied.
Yes, you can unless the patient has explicitly indicated to the contrary or completed the “Restrictions on Uses and Disclosures of PHI” form requesting that the covered entity only communicate information to him/her and not to any family members. You should also determine whether additional state laws restrict certain health information from spouses or immediate family.
Final Privacy Rule requires covered entities to make “good faith efforts” to obtain written verification that patients have received a copy of the Notice of Privacy Practices. Covered entities should have patients sign an acknowledgement form when they receive a copy of the Notice of Privacy Practices. Medical practices should also keep a copy of this written acknowledgment in patients’ medical records. If a covered entity utilizes an electronic medical record, the patient can either sign electronically or the hard copy verification can be scanned into the patient’s medical record. If a written acknowledgment from the patient cannot be obtained, the covered entity must document its efforts to receive it.
Two medical practices will not be business associates of each other merely because they share office space. However, a business associate agreement is required if one practice provides services to the other practice as a “business associate” (e.g., billing services). The business associate agreement must describe the service provided by one practice on behalf of the other and further limit the use of the PHI to the performance of such services. Remember, health care providers may disclose PHI to one another for their respective treatment and payment activities, as well as some operational activities, such as quality assurance and improvement. Of course, PHI disclosed for payment and operational purposes must be disclosed in accordance with the minimum necessary standard.
There is no private right of action under HIPAA — that is, a patient cannot bring suit against the practice for a violation of the HIPAA standards. A lawsuit filed by a third party as a result of an alleged breach of privacy or breach of patient confidentiality would be filed pursuant to particular violations of other federal or state laws, NOT HIPAA. Rather, alleged HIPAA violations would be enforced by the HHS Office for Civil Rights (the HHS department assigned with the task of enforcing HIPAA). HIPAA violations carry fines and penalties, both civil and criminal, that would be assessed against a covered entity or an individual. However, a staff member who caused the privacy breach could (depending on the practice’s own internal policies) be held accountable for any financial penalties the covered entity incurs — either by way of HIPAA violations, or private actions. (Though most practices do not have and are not inclined to institute such penalizing policies.) Additionally, employees could be found individually liable for violations of HIPAA if acting outside of the scope of their employment.
There are particular sanctions available for use by the HHS against individuals who violate the HIPAA Privacy Rule, though the enforcement and application of those sanctions will depend upon the enforcement decision made by the Office for Civil Rights. As noted above, HIPAA does not create a private right of action against individuals. If the practice were sued by an individual as a result of a breach of state or other federal confidentiality or privacy duties, it would not be unusual for the plaintiff to name individuals, as well as the practice, in such a suit. Medical practices and other covered entities should take extra care in training their staff to make sure they understand the importance of patient privacy. Additionally, physicians and staff should be trained annually and should be required to sign workforce confidentiality agreements which will indicate the types of sanctions that may be applied to the employee (physician or staff, if applicable) who intentionally or unintentionally causes the practice to fail to meet its obligations under the Privacy Rule.
No, they are not required by HIPAA. It is a recommendation that practices consider using them in order to stress to employees the importance of HIPAA compliance, with the goal of preventing privacy breaches.
No, medical residents are acting as part of the medical practice’s workforce and therefore should receive privacy training just as any other physician or staff member would. In addition, medical residents should sign workforce confidentiality agreements.
If you receive a patient’s authorization to release all of his/her medical records (i.e., the patient has not placed any restrictions on what you are to release to the third party), you should release that complete set of medical and billing records maintained by the practice and which are used in whole or in part to make decisions about the individual — in essence, the entire medical record created by your practice and any medical record received by the practice (relating to the patient) from other providers should be released.
Business associate agreements are only required for third parties who are not employees of the medical practice but who provide a function on behalf of the practice that requires the use of patients’ PHI. Cleaning personnel do not need to have access to PHI in order to clean the medical practice. Practices must implement administrative, technical and physical safeguards to protect PHI; therefore, the practice’s policies should work to prevent such exposures (e.g., appropriate document destruction, locked file cabinets, etc.)
The covered entity should enter into a business associate agreement with the company (e.g., a vendor) and not the company’s employees. For example, if a medical practice engages a consulting firm to conduct a coding audit in your medical practice, the medical practice would enter into a business associate agreement with the consulting firm and not with the individual consultants who will be onsite conducting the coding audit.
No, the medical practice can simply update the demographic information as given by the patient either verbally or in written form. The “Amend PHI” form should be used by covered entities when a patient requests that medical information in his/her medical record be changed or deleted.
Yes, HIPAA does not preclude covered entities who are health care providers from sharing patient PHI with each other for treatment or payment purposes.
Laws surrounding the copying of medical records vary from state to state. It is recommended that a practice check its state law before charging patients for copying their medical records. Your state medical association may be able to provide you with this information.