Following are frequently asked questions about HIPAA. You can also download a PDF version of the entire list of questions and answers.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI). Many of the applications of the Privacy Rule are simply common sense. Others are somewhat more complex and afford the patient a great deal of flexibility in accessing the content of their medical record and how that content (PHI) is used. As well, the Privacy Rule enables the patient to control the disclosure of their PHI to certain entities.

What is Protected Health Information (PHI)?

With few exceptions, PHI includes Individually Identifiable Health Information (IIHI) held or disclosed by a practice regardless of how it is communicated (e.g., electronically, verbally, or written).

What is Individually Identifiable Information (IIHI)?

Any health information (including demographic information) that is collected from the patient or created or received by a healthcare provider or other covered entity or employer that relates to 1) the past, present or future physical or mental health or condition of an individual; 2) the provision of healthcare; or 3) the past, present or future payment for the provision of healthcare at your practice; when this information could potentially identify an individual.

What is a covered entity?

For purposes of the HIPAA Privacy Rule, “covered entities” are health plans, health care clearinghouses and health care providers that transmit health information in electronic form as part of a transaction covered by the HIPAA electronic transaction standards. A HIPAA electronic transaction is the electronic transmission of information between two parties to carry out the financial or administrative activities related to health care, including but not limited to: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; eligibility for a health plan; and referral certification and authorization.

What is a business associate and how does a covered entity determine who their business associates are?

A business associate is a person or entity that is not a member of a medical practice’s workforce, but who uses or discloses PHI maintained by the practice to carry out functions or activities for or on behalf of the medical practice or other covered entity. The starting point to determine who your business associates are is to examine your general ledger and see who you write checks to every month. This is usually a good indicator of who may have access to your practice’s PHI.

If a medical practice utilizes a locums tenens, is the practice required to execute a business associate agreement with this physician or the locum tenens agency?

No, a business associate agreement is not necessary. However, for purposes of the Privacy Rule the locums tenens physician is considered to be a member of your practice’s workforce and therefore he/she must receive the same privacy training as other providers and staff in the medical practice. The agency that placed or provided the locums tenens is not a business associate because they do not have access to PHI.

When must a covered entity’s staff receive training on the Privacy Rule?

All existing members of a covered entity’s workforce are required to receive training on the Privacy Rule, both at the outset of employment and periodically thereafter. It is recommended that this training be incorporated into the practice’s new employee orientation program.

When a medical practice needs to leave a message for one of its patients, how specific a message can be left on a patient’s voicemail?

Limit the information left on a voicemail to simply the name and phone number of the person to return the phone call to. Avoid leaving lab and test results and any financial information on a voicemail.

When sending mail to patients, is it acceptable to have the return address and the name of the practice on the envelope?

Yes, it is acceptable to still use the name and address of your practice on an envelope.

In some sensitive situations (oncology, infectious disease) you might consider the recommendation to use a post office box as a return address and remove the name of the practice in order to better protect patients’ privacy; however, it remains important to ensure that information reaches patients, so such actions should be reserved for very sensitive situations. Additionally, the
patient has the right to request that he/she be contacted at an alternative location (e.g., at work) or via alternative means (e.g., via telephone); therefore, if the patient is truly concerned about the manner in which he/she receives sensitive information from your practice, he/she may request a reasonable alternative. For those practices who send out appointment reminder post cards, the recommendation is that you use a fold-over postcard in order to better protect patient’s confidentiality.

We receive written documentation from life insurance companies requesting release of patient medical information. Our patients sign a release form that says “I authorize Doctor X to release my medical information to X Life Insurance Company.” This form goes into the patient’s file. Does our practice still need to get an authorization signed by the patient or can we utilize the form sent by the insurance company?

The form signed by the patient above does not meet HIPAA requirements. You may use the form supplied by the insurance company or patient only if contains all of the elements required by HIPAA for a valid authorization form. If not, you should require the patient to sign the practice’s standard form. The nine authorization elements required by the Privacy Rule are:

  • description of the information to be used or disclosed.
  • a description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization.
  • name or other specific identification of the persons or class of person(s) authorized to make the requested use or disclosure.
  • name or other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure.
  • an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
  • state that the information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the Privacy Rule.
  • the signature of the individual and a date.
  • notify the individual that a revocation will not effect action already taken in reliance on the authorization form.
  • notify the patient that a provider may not condition treatment on the patient signing the authorization form. (Please note: different rules apply if the use or disclosure is for research-related treatment or PHI created for use by a third party)
  • notify the individual of the right to revoke the authorization and the process for so doing.

Can you utilize a third party’s authorization form or do you have to use the authorization form specific to your practice?

You may utilize the third party’s authorization form as long as it contains the elements required by the Privacy Rule.

When a medical practice is completing papers on behalf of the patient under the Family Medical Leave Act for disclosure of certain information of the Employer, are they required to get an authorization?

Yes, protected health information is disclosed to an employer on behalf of a patient for reasons related to Family Medical Leave Act, such as for pregnancy, an authorization signed by the patient must be obtained by the Practice prior to disclosing such
information to the employer. However, no authorization is required if the disclosure to the Employer under the FMLA is required by law.

When completing paperwork on behalf of a patient for disability insurance, is an authorization required prior to disclosing or returning such paperwork to the patients’ employer or to the insurer?

If information about a patient is being disclosed to a third party such as an employer for reasons other than for treatment, payment or operations (TPO), a signed authorization

is required from the patient prior to disclosing that information. In the case of disability insurance, when disclosing information to the employer or to the disability insurer, then the practice must obtain a signed authorization from the patient.

If a patient refuses to sign an authorization form, can you refuse to treat the patient?

In general, you cannot condition treatment upon receipt of a signed authorization form.

For example, if a medical practice presents an authorization form to a patient for signature authorizing the practice to utilize that patient’s information for research purposes, and the patient refuses to sign it, the practice cannot refuse to treat the patient. However, if the patient is to receive treatment in connection with the research and he/she refuses to sign the authorization, the treatment may be denied. Also, if the treatment is requested solely for the purpose of disclosure such information to a third party (e.g., occupational drug testing), and the individual refuses to sign the authorization, the treatment may be denied.

Can you convey information concerning the health and treatment of a patient to his/her spouse or immediate family?

Yes, you can unless the patient has explicitly indicated to the contrary or completed the “Restrictions on Uses and Disclosures of PHI” form requesting that the covered entity only communicate information to him/her and not to any family members. You should also determine whether additional state laws restrict certain health information from spouses or immediate family.

Do you have to document that patients have received a copy of the practice’s Notice of Privacy Practices?

Final Privacy Rule requires covered entities to make “good faith efforts” to obtain written verification that patients have received a copy of the Notice of Privacy Practices. Covered entities should have patients sign an acknowledgement form when they receive a copy of the Notice of Privacy Practices. Medical practices should also keep a copy of this written acknowledgment in patients’ medical records. If a covered entity utilizes an electronic medical record, the patient can either sign electronically or the hard copy
verification can be scanned into the patient’s medical record. If a written acknowledgment from the patient cannot be obtained, the covered entity must document its efforts to receive it.

If two different medical practices with separate tax identification numbers are sharing space with each other, do you need to have a signed business associate agreement between the two practices?

Two medical practices will not be business associates of each other merely because they share office space. However, a business associate agreement is required if one practice provides services to the other practice as a “business associate” (e.g., billing services). The business associate agreement must describe the service provided by one practice on behalf of the other and further limit the use of the PHI to the performance of such services. Remember, health care providers may disclose PHI to one another for their respective treatment and payment activities, as well as some operational activities, such as quality assurance and improvement. Of course, PHI disclosed for payment and operational purposes must be disclosed in accordance with the minimum necessary standard.

If a breach of the Privacy Rule occurs and a lawsuit is filed, who would be responsible for paying the penalties? Is it the covered entity or the staff member who violated the Privacy Rule?

There is no private right of action under HIPAA — that is, a patient cannot bring suit against the practice for a violation of the HIPAA standards. A lawsuit filed by a third party as a result of an alleged breach of privacy or breach of patient confidentiality would be filed pursuant to particular violations of other federal or state laws, NOT HIPAA. Rather, alleged HIPAA violations would be enforced by the HHS Office for Civil Rights (the HHS department assigned with the task of enforcing HIPAA). HIPAA violations carry fines and penalties, both civil and criminal, that would be assessed against a covered entity or an individual. However, a staff member who caused the privacy breach could (depending on the practice’s own internal policies) be held accountable for any financial penalties the covered entity incurs — either by way of HIPAA violations, or private actions. (Though most practices do not have and are not inclined to institute such penalizing policies.) Additionally, employees could be found individually liable for violations of HIPAA if acting outside of the scope of their employment.

Would the staff member who caused the privacy breach be named as a defendant in a civil lawsuit filed against the practice?

There are particular sanctions available for use by the HHS against individuals who violate the HIPAA Privacy Rule, though the enforcement and application of those sanctions will depend upon the enforcement decision made by the Office for Civil Rights. As noted above, HIPAA does not create a private right of action against individuals. If the practice were sued by an individual as a result of a breach of state or other federal confidentiality or privacy duties, it would not be unusual for the plaintiff to name individuals, as well as the practice, in such a suit.

Medical practices and other covered entities should take extra care in training their staff to make sure they understand the importance of patient privacy. Additionally, physicians and staff should be trained annually and should be required to sign workforce confidentiality agreements which will indicate the types of sanctions that may be applied to the employee (physician or staff, if applicable) who intentionally or unintentionally causes the practice to fail to meet its obligations under the Privacy Rule.

Are Workforce Confidentiality Agreements required by HIPAA?

No, they are not required by HIPAA. It is a recommendation that practices consider using them in order to stress to employees the importance of HIPAA compliance, with the goal of preventing privacy breaches.

Are medical residents considered to be Business Associates of the medical practice?

No, medical residents are acting as part of the medical practice’s workforce and therefore should receive privacy training just as any other physician or staff member would.

In addition, medical residents should sign workforce confidentiality agreements.

If a medical practice has information in a patient’s medical record that was acquired from another medical provider, is the medical practice required to release that information when it receives a request from a third party?

If you receive a patient’s authorization to release all of his/her medical records (i.e., the patient has not placed any restrictions on what you are to release to the third party), you should release that complete set of medical and billing records maintained by the practice and which are used in whole or in part to make decisions about the individual — in essence, the entire medical record created by your practice and any medical record received by the practice (relating to the patient) from other providers should be released.

Do medical practices need a business associate agreement with their janitor or cleaning service?

Business associate agreements are only required for third parties who are not employees of the medical practice but who provide a function on behalf of the practice that requires the use of patients’ PHI. Cleaning personnel do not need to have access to PHI in order

to clean the medical practice. Practices must implement administrative, technical and physical safeguards to protect PHI; therefore, the practice’s policies should work to prevent such exposures (e.g., appropriate document destruction, locked file cabinets, etc.)

Does a covered entity need a business associate agreement with a third party’s employees or the third party (e.g., a vendor)?

The covered entity should enter into a business associate agreement with the company (e.g., a vendor) and not the company’s employees. For example, if a medical practice engages a consulting firm to conduct a coding audit in your medical practice, the medical practice would enter into a business associate agreement with the consulting firm and not with the individual consultants who will be onsite conducting the coding audit.

Does the “Amend PHI” form need to be completed by the patient when there is a change in a patient’s demographic information?

No, the medical practice can simply update the demographic information as given by the patient either verbally or in written form. The “Amend PHI” form should be used by covered entities when a patient requests that medical information in his/her medical record be changed or deleted.

If a medical practice has a new patient on its schedule who has first been seen in the local hospital, is the medical practice allowed to request information from the hospital in advance of seeing the patient?

Yes, HIPAA does not preclude covered entities who are health care providers from sharing patient PHI with each other for treatment or payment purposes.

If a patient wants a copy of his/her medical record, is the medical practice allowed to charge the patient for it?

Laws surrounding the copying of medical records vary from state to state. It is recommended that a practice check its state law before charging patients for copying their medical records. Your state medical association may be able to provide you with this information.