|
|
|
|
HIPAA Frequently Asked Questions
WILLAMETTE DENTAL HIPAA COMPLIANCE PROGRAM
ON THIS PAGE
HIPAA Privacy Rule
Confidentiality
The Individual's Personal Representative
Parents and Children
Written Consent
Pharmacies and Prescriptions
Disclosing Health Information
Consumer Credit Reporting/Collections/Workmen's Compensation
Emergencies
Privacy Policies
Health Care Professionals
Facsimiles
Discussing Health Information with Family, Friends & Third Parties
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) is a federal regulatory effort that
has far-reaching effects on the nation's health care industry.
The Willamette Dental HIPAA program focuses on complying with HIPAA's
new standards for electronic data interchange (EDI), transactions (code
sets for diagnoses and procedures), protecting the privacy of health
information, information security, and standards for identifier codes
(for providers, employers, dental plans and individual patients,
meaning Willamette Dental members) by the compliance dates set for these
regulations.
Below you will find the answers to many frequently asked questions about HIPAA.
HIPAA
PRIVACY RULE
What does the HIPAA Privacy Rule do?
Why is the HIPAA Privacy Rule needed?
Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?
CONFIDENTIALITY
Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?
Does the HIPAA Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of
appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?
May physicians offices use
patient sign-in sheets or call out the names of their patients in their waiting rooms?
Are physicians and doctor's offices
prohibited from maintaining patient medical charts at bedside or outside
of exam rooms, or from engaging in other customary practices where the
potential exists for patient information to be incidentally disclosed to
others?
A clinic customarily places patient
charts in the plastic box outside an exam room. It does not want the
record left unattended with the patient, and physicians want the record
close by for fast review right before they walk into the exam room. Will
the HIPAA Privacy Rule allow the clinic to continue this practice?
In limiting access, are covered
entities required to completely restructure existing workflow systems,
including redesigning office space and upgrading computer systems, in
order to comply with the HIPAA Privacy Rule's minimum necessary
requirements?
THE INDIVIDUAL'S PERSONAL REPRESENTATIVE
Who must be recognized as the Individual's Personal
Representative?
How does a covered entity identify an individual's
personal representative?
PARENTS AND CHILDREN
Does the HIPAA Privacy
Rule allow parents the right to see their children's medical records?
If a child receives emergency
medical care without a parent's consent, can the parent get all information about the child's treatment and condition?
Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?
When an individual reaches the age
of majority or becomes emancipated, who controls the protected health
information concerning health care services rendered while the
individual was an unemancipated minor?
WRITTEN CONSENT
Can health care providers, such as a specialist or
hospital, to whom a patient is referred for the first time, use
protected health information to set up appointments or schedule surgery
or other procedures without the patient's written consent?
Are health care providers
restricted from consulting with other providers about a patient's
condition without the patient's written authorization?
PHARMACIES AND PRESCRIPTIONS
Does the HIPAA Privacy Rule
restrict pharmacists from giving advice about over-the-counter medicines to customers?
Can a patient have a friend or family member
pick up a prescription for her?
What is the difference between "consent" and
"authorization" under the HIPAA Privacy Rule?
DISCLOSING HEALTH INFORMATION
What is the difference between "consent" and "authorization" under the HIPAA Privacy Rule?
May a health care provider disclose protected
health information to a health plan for the plan's Health Plan Employer Data and Information Set (HEDIS)?
Does the HIPAA Privacy Rule permit a covered
entity or its collection agency to communicate with parties other than
the patient (e.g., spouses or guardians) regarding payment of a bill?
CONSUMER CREDIT REPORTING/COLLECTIONS/WORKERS' COMPENSATION
Does the HIPAA Privacy Rule prevent reporting
to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
Does the HIPAA Privacy Rule prevent health plans and
providers from using debt collection agencies? Does the Privacy Rule conflict with the Fair Debt Collection Practices Act?
Are location information services of collection
agencies, which are required under the Fair Debt Collection Practices
Act, permitted under the HIPAA Privacy Rule?
Won't the HIPAA Privacy Rule's minimum necessary standard impede the
ability of workers' compensation insurers, State administrative
agencies, and employers to obtain the health information needed to pay
injured or ill workers the benefits guaranteed them under the State
workers' compensation system?
Does an individual have a right under the HIPAA
Privacy Rule to restrict the protected health information his or her
health care provider discloses for workers' compensation purposes?
Does the HIPAA Privacy Rule permit a health care
provider to disclose an injured or ill worker's protected health
information without his or her authorization when requested for purposes
of adjudicating the individual's workers' compensation claim?
EMERGENCIES
Are hospitals or other health care providers
required to provide their notices to patients they treat in an
emergency?
PRIVACY POLICIES
Does the HIPAA Privacy Rule require a health
care provider to obtain a new acknowledgment of receipt of the notice
from patients if the facility changes its privacy policy?
How are health
care providers supposed to provide the notice to individuals and obtain
their written acknowledgment of the notice when the first treatment
encounter is over the phone or in some other manner that is not
face-to-face?
HEALTH CARE PROFESSIONALS
As a pediatrician, am I required to give my notice of
privacy practices to the children I treat?
Are health care
providers required by the HIPAA Privacy Rule to post their entire notice
at their facility or may they post just a brief description of the
notice?
Can a covered entity bypass obtaining an
individual's authorization for a use or disclosure not permitted by the
HIPAA Privacy Rule simply by informing individuals of the use or
disclosure through its notice of privacy practices?
Is our medical practice required to notify patients through the mail of any
changes to our notice?
Is a physician required to
give her notice to every patient or can she just post the notice in her
waiting room and give a copy to those patients who ask for it?
If patients request copies
of their medical records as permitted by the Privacy Rule, are they
required to pay for the copies?
FACSIMILES
Can a physician's office FAX
patient medical information to another physician's office?
DISCUSSING HEALTH INFORMATION WITH FAMILY, FRIENDS & 3RD PARTIES
Does the HIPAA Privacy Rule permit a doctor to
discuss a patient's health status, treatment, or payment arrangements
with the patient's family and friends?
Does the HIPAA
Privacy Rule allow parents the right to see their children's medical
records?
Does
the HIPAA Privacy Rule permit a covered entity or its collection agency
to communicate with parties other than the patient (e.g., spouses or
guardians) regarding payment of a bill?
What does the HIPAA Privacy Rule do?
Most health plans and health care providers that are covered by the new
Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to
protect individuals' medical records and other personal health
information.
- It gives patients more control over
their health information.
- It sets boundaries on the use and
release of health records.
- It establishes appropriate safeguards
that health care providers and others must achieve to protect the
privacy of health information.
- It holds violators accountable, with
civil and criminal penalties that can be imposed if they violate
patients' privacy rights.
- And it strikes a balance when public
responsibility supports disclosure of some forms of data - for
example, to protect public health.
For patients - it means being able to make
informed choices when seeking care and reimbursement for care based on
how personal health information may be used.
- It enables patients to find out how
their information may be used, and about certain disclosures of
their information that have been made.
- It generally limits release of
information to the minimum reasonably needed for the purpose of the
disclosure.
- It generally gives patients the right
to examine and obtain a copy of their own health records and request
corrections.
- It empowers individuals to control
uses and disclosures of their health information.
Why is the HIPAA Privacy Rule needed?
In enacting HIPAA, Congress mandated the establishment of Federal
standards for the privacy of individually identifiable health
information. When it comes to personal information that moves across
hospitals, doctors' offices, insurers or third party payers, and State
lines, our country has relied on a patchwork of Federal and State laws.
Under the patchwork of laws existing prior to adoption of HIPAA and the
Privacy Rule, personal health information could be distributed without
either notice or authorization for reasons that had nothing to do with
a patient's medical treatment or health care reimbursement. For example,
unless otherwise forbidden by State of local law, without the Privacy
Rule patient information held by a health plan could, without the
patient's permission, be passed on to a lender who could then deny the
patient's application for a home mortgage or a credit card, or to an
employer who could use it in personnel decisions. The Privacy Rule
establishes a Federal floor of safeguards to protect the confidentiality
of medical information. State laws which provide stronger privacy
protections will continue to apply over and above the new Federal
privacy standards.
Generally, what does
the HIPAA Privacy Rule require the average provider or health plan to
do?
For the average health care provider or health plan, the Privacy Rule
requires activities, such as:
- Notifying patients about their privacy
rights and how their information can be used.
- Adopting and implementing privacy
procedures for its practice, hospital, or plan.
- Training employees so that they
understand the privacy procedures.
- Designating an individual to be
responsible for seeing that the privacy
- procedures are adopted and followed.
- Securing patient records containing
individually identifiable health information so that they are not
readily available to those who do not need them.
Can
health care providers engage in confidential conversations with other
providers or with patients, even if there is a possibility that they
could be overheard?
Yes. The HIPAA Privacy Rule is not intended to prohibit providers from
talking to each other and to their patients. Provisions of this Rule
requiring covered entities to implement reasonable safeguards that
reflect their particular circumstances and exempting treatment
disclosures from certain requirements are intended to ensure that
providers' primary consideration is the appropriate treatment of their
patients. The Privacy Rule recognizes that oral communications often
must occur freely and quickly in treatment settings. Thus, covered
entities are free to engage in communications as required for quick,
effective, and high quality health care. The Privacy Rule also
recognizes that overheard communications in these settings may be
unavoidable and allows for these incidental disclosures.
For example, the following practices are permissible under the Privacy
Rule, if reasonable precautions are taken to minimize the chance of
incidental disclosures to others who may be nearby:
- Health care staff may orally
coordinate services at hospital nursing stations.
- Nurses or other health care
professionals may discuss a patient's condition over the phone with
the patient, a provider, or a family member.
- A health care professional may discuss
lab test results with a patient or other provider in a joint
treatment area.
- A physician may discuss a patients'
condition or treatment regimen in the patient's semi-private room.
- Health care professionals may discuss
a patient's condition during training rounds in an academic or
training institution.
- A pharmacist may discuss a
prescription with a patient over the pharmacy counter, or with a
physician or the patient over the phone.
In these circumstances, reasonable
precautions could include using lowered voices or talking apart from
others when sharing protected health information. However, in an
emergency situation, in a loud emergency room, or where a patient is
hearing impaired, such precautions may not be practicable. Covered
entities are free to engage in communications as required for quick,
effective, and high quality health care.
Does the HIPAA Privacy Rule require hospitals and doctors' offices
to be retrofitted, to provide private rooms, and soundproof walls to
avoid any possibility that a conversation is overheard?
No, the Privacy Rule does not require these types of structural changes
be made to facilities.
Covered entities must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of protected
health information. This standard requires that covered entities make
reasonable efforts to prevent uses and disclosures not permitted by the
Rule. The Department does not consider facility restructuring to be a
requirement under this standard.
For example, the Privacy Rule does not require the following types of
structural or systems changes:
- Private rooms.
- Soundproofing of rooms.
- Encryption of wireless or other emergency medical radio communications which can be intercepted by
scanners.
- Encryption of telephone systems.
Covered entities must implement reasonable
safeguards to limit incidental, and avoid prohibited, uses and
disclosures. The Privacy Rule does not require that all risk of
protected health information disclosure be eliminated. Covered entities
must review their own practices and determine what steps are reasonable
to safeguard their patient information. In determining what is
reasonable, covered entities should assess potential risks to patient
privacy, as well as consider such issues as the potential effects on
patient care, and any administrative or financial burden to be incurred
from implementing particular safeguards. Covered entities also may take
into consideration the steps that other prudent health care and health
information professionals are taking to protect patient privacy.
Examples of the types of adjustments or modifications to facilities or
systems that may constitute reasonable safeguards are:
- Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling.
- In an area where multiple patient-staff communications routinely occur, use of cubicles,
dividers, shields, curtains, or similar barriers may constitute a
reasonable safeguard. For example, a large clinic intake area may
reasonably use cubicles or shield-type dividers, rather than
separate rooms, or providers could add curtains or screens to areas
where discussions often occur between doctors and patients or among
professionals treating the patient.
- Hospitals could ensure that areas housing patient files are supervised or locked.
May
physician's offices or pharmacists leave messages for patients at their
homes, either on an answering machine or with a family member, to remind
them of appointments or to inform them that a prescription is ready? May
providers continue to mail appointment or prescription refill reminders
to patients' homes?
Yes. The HIPAA Privacy Rule permits health care providers to communicate
with patients regarding their health care. This includes communicating
with patients at their homes, whether through the mail or by phone or in
some other manner. In addition, the Rule does not prohibit covered
entities from leaving messages for patients on their answering machines.
However, to reasonably safeguard the individual's privacy, covered
entities should take care to limit the amount of information disclosed
on the answering machine. For example, a covered entity might want to
consider leaving only its name and number and other information
necessary to confirm an appointment, or ask the individual to call back.
A covered entity also may leave a message with a family member or other
person who answers the phone when a patient is not home. The Privacy
Rule permits covered entities to disclose limited information to family
members, friends, or other persons regarding an individual's care, even
when the individual is not present. However, covered entities should use
professional judgment to assure that such disclosures are in the best
interest of the individual and limit the information disclosed. See 45
CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity
communicate with him in a confidential manner, such as by alternative
means or at an alternative location, the covered entity must accommodate
that request, if reasonable. For example, the Department considers a
request to receive mailings from the covered entity in a closed envelope
rather than by postcard to be a reasonable request that should be
accommodated. Similarly, a request to receive mail from the covered
entity at a post office box rather than at home, or to receive calls at
the office rather than at home are also considered to be reasonable
requests, absent extenuating circumstances. See 45 CFR 164.522 (b).
May
physicians offices use patient sign-in sheets
or call out the names of their patients in their waiting rooms?
Yes. Covered entities, such as physician's offices, may use patient
sign-in sheets or call out patient names in waiting rooms, so long as
the information disclosed is appropriately limited. The HIPAA Privacy
Rule explicitly permits the incidental disclosures that may result from
the practice, for example, when other patients in a waiting room hear
the identity of the person whose name is called, or see other patient
names on a sign-in sheet. However, these incidental disclosures are
permitted only when the covered entity has implemented reasonable
safeguards and the minimum necessary standard, where appropriate. For
example, the sign-in sheet may not display medical information that is
not necessary for the purpose of signing in (e.g., the medical problem
for which the patient is seeing the physician). See 45 CFR
164.502(a)(1)(iii).
Are
physicians and doctor's offices prohibited from maintaining patient
medical charts at bedside or outside of exam rooms, or from engaging in
other customary practices where the potential exists for patient
information to be incidentally disclosed to others?
No. The HIPAA Privacy Rule does not prohibit covered entities from
engaging in common and important health care practices; nor does it
specify the specific measures that must be applied to protect an
individual's privacy while engaging in these practices. Covered entities
must implement reasonable safeguards to protect an individual's privacy.
In addition, covered entities must reasonably restrict how much
information is used and disclosed, where appropriate, as well as who
within the entity has access to protected health information. Covered
entities must evaluate what measures make sense in their environment and
tailor their practices and safeguards to their particular circumstances.
For example, the Privacy Rule does not prohibit covered entities from
engaging in the following practices, where reasonable precautions have
been taken to protect an individual's privacy:
- Maintaining patient charts at bedside
or outside of exam rooms, displaying patient names on the outside of
patient charts, or displaying patient care signs (e.g., "high fall
risk" or "diabetic diet") at patient bedside or at the doors of
hospital rooms.
Possible safeguards may include:
reasonably limiting access to these areas, ensuring that the area is
supervised, escorting non-employees in the area, or placing patient
charts in their holders with identifying information facing the wall or
otherwise covered, rather than having health information about the
patient visible to anyone who walks by.
- Announcing patient names and other information over a facility's public announcement system.
Possible safeguards may include: limiting the information disclosed over the system, such as referring the
patients to a reception desk where they can receive further instructions
in a more confidential manner.
- Use of X-ray lightboards or in-patient logs, such as whiteboards, at a nursing station.
Possible safeguards may include: if the
X-ray lightboard is in an area generally not accessible by the public,
or if the nursing station whiteboard is not readily visible to the
public, or any other safeguard which reasonably limits incidental
disclosures to the general public.
The above examples of possible safeguards are not intended to be
exclusive. Covered entities may engage in any practice that reasonably
safeguards protected health information to limit incidental uses and
disclosures.
A
clinic customarily places patient charts in the plastic box outside an
exam room. It does not want the record left unattended with the patient,
and physicians want the record close by for fast review right before
they walk into the exam room. Will the HIPAA Privacy Rule allow the
clinic to continue this practice?
Yes, the Privacy Rule permits this practice as long as the clinic takes
reasonable and appropriate measures to protect the patient's privacy.
The physician or other health care professionals use the patient charts
for treatment purposes. Incidental disclosures to others that might
occur as a result of the charts being left in the box are permitted, if
the minimum necessary and reasonable safeguards requirements are met.
See 45 CFR 164.502(a)(1)(iii). As the purpose of leaving the chart in
the box is to provide the physician with access to the medical
information relevant to the examination, the minimum necessary
requirement would be satisfied. Examples of measures that could be
reasonable and appropriate to safeguard the patient chart in such a
situation would be limiting access to certain areas, ensuring that the
area is supervised, escorting non-employees in the area, or placing the
patient chart in the box with the front cover facing the wall rather
than having protected health information about the patient visible to
anyone who walks by. Each covered entity must evaluate what measures are
reasonable and appropriate in its environment. Covered entities may
tailor measures to their particular circumstances. See 45 CFR
164.530(c).
In limiting access, are
covered entities required to completely restructure existing workflow
systems, including redesigning office space and upgrading computer
systems, in order to comply with the HIPAA Privacy Rule's minimum
necessary requirements?
No. The basic standard for minimum necessary uses requires that covered
entities make reasonable efforts to limit access to protected health
information to those in the workforce that need access based on their
roles in the covered entity.
The Department generally does not consider facility redesigns as
necessary to meet the reasonableness standard for minimum necessary
uses. However, covered entities may need to make certain adjustments to
their facilities to minimize access, such as isolating and locking file
cabinets or records rooms, or providing additional security, such as
passwords, on computers maintaining personal information.
Covered entities should also take into account their ability to
configure their record systems to allow access to only certain fields,
and the practicality of organizing systems to allow this capacity. For
example, it may not be reasonable for a small, solo practitioner who has
largely a paper-based records system to limit access of employees with
certain functions to only limited fields in a patient record, while
other employees have access to the complete record. In this case,
appropriate training of employees may be sufficient. Alternatively, a
hospital with an electronic patient record system may reasonably
implement such controls, and therefore, may choose to limit access in
this manner to comply with the Privacy Rule.
Who
must be recognized as the Individual's Personal Representative?
The following chart displays who must be recognized as the personal
representative for a category of individuals:
If the Individual Is: The Personal Representative Is:
An Adult or A person with legal authority to make health
An Emancipated Minor care decisions on behalf of the individual
Examples: Health care power of attorney
Court appointed legal guardian
General power of attorney
An Unemancipated Minor A parent, guardian, or other person acting in
loco parentis with legal authority to make health care decisions on
behalf of the minor child
Exceptions: See parents and minors discussion below.
Deceased A person with legal authority to act on behalf of the decedent
or the estate (not restricted to health care decisions)
Examples: Executor of the estate
Next of kin or other family member
Durable power of attorney
Parents and Unemancipated Minors. The Privacy Rule defers to State or
other applicable laws that address the ability of a parent, guardian, or
other person acting in loco parentis (collectively, "parent") to obtain
health information about a minor child. In most cases under the Rule,
the parent is the personal representative of the minor child and can
exercise the minor's rights with respect to protected health
information, because the parent usually has the authority to make health
care decisions about his or her minor child. Regardless of whether a
parent is the personal representative, the Privacy Rule permits a
covered entity to disclose to a parent, or provide the parent with
access to, a minor child's protected health information when and to the
extent it is expressly permitted or required by State or other laws
(including relevant case law). Likewise, the Privacy Rule prohibits a
covered entity from disclosing a minor child's protected health
information to a parent, or providing a parent with access to, such
information when and to the extent it is expressly prohibited under
State or other laws (including relevant case law). Thus, State and other
applicable law governs when such law explicitly requires, permits, or
prohibits the disclosure of, or access to, the health information about
a minor child.
The Privacy Rule specifies three circumstances in which the parent is
not the "personal representative" with respect to certain health
information about his or her minor child. These exceptions generally
track the ability of certain minors to obtain specified health care
without parental consent under State or other laws, or standards of
professional practice. In these situations, the parent does not control
the minor's health care decisions, and thus under the Rule, does not
control the protected health information related to that care. The three
exceptional circumstances when a parent is not the minor's personal
representative are:
- When State or other law does not
require the consent of a parent or other person before a minor can
obtain a particular health care service, and the minor consents to
the health care service;
Example: A State law provides an
adolescent the right to obtain mental health treatment without the
consent of his or her parent, and the adolescent consents to such
treatment without the parent's consent.
- When a court determines or other law
authorizes someone other than the parent to make treatment decisions
for a minor;
Example: A court may grant
authority to make health care decisions for the minor to an adult
other than the parent, to the minor, or the court may make the
decision(s) itself.
- When a parent agrees to a confidential
relationship between the minor and the physician.
Example: A physician asks the
parent of a 16-year-old if the physician can talk with the child
confidentially about a medical condition and the parent agrees.
Even in these exceptional circumstances, where the parent is not the
"personal representative" of the minor, the Privacy Rule defers to
State or other laws that require, permit, or prohibit the covered
entity to disclose to a parent, or provide the parent access to, a
minor child's protected health information. Further, in these
situations, if State or other law is silent or unclear concerning
parental access to the minor's protected health information, a
covered entity has discretion to provide or deny a parent with
access to the minor's health information, if doing so is consistent
with State or other applicable law, and provided the decision is
made by a licensed health care professional in the exercise of
professional judgment.
Abuse, Neglect, and Endangerment Situations. When a physician or
other covered entity reasonably believes that an individual,
including an unemancipated minor, has been or may be subjected to
domestic violence, abuse or neglect by the personal representative,
or that treating a person as an individual's personal representative
could endanger the individual, the covered entity may choose not to
treat that person as the individual's personal representative, if in
the exercise of professional judgment, doing so would not be in the
best interests of the individual. For example, if a physician
reasonably believes that disclosing information about an incompetent
elderly individual to the individual's personal representative would
endanger that individual, the Privacy Rule permits the physician to
decline to make such disclosure.
How
does a covered entity identify an individual's personal representative?
State or other law determines who is authorized to act on an
individual's behalf, thus the Privacy Rule does not address how personal
representatives should be identified. Covered entities should continue
to identify personal representatives the same way they have in the past.
However, the HIPAA Privacy Rule does require covered entities to verify
a personal representative's authority in accordance with 45 CFR
164.514(h).
Doesthe HIPAA Privacy Rule allow parents
the right to see their children's medical records?
Yes, the Privacy Rule generally allows a parent to have access to the
medical records about his or her child, as his or her minor child's
personal representative when such access is not inconsistent with State
or other law.
There are three situations when the parent would not be the minor's
personal representative under the Privacy Rule. These exceptions are:
(1) when the minor is the one who consents to care and the consent of
the parent is not required under State or other applicable law; (2) when
the minor obtains care at the direction of a court or a person appointed
by the court; and (3) when, and to the extent that, the parent agrees
that the minor and the health care provider may have a confidential
relationship. However, even in these exceptional situations, the parent
may have access to the medical records of the minor related to this
treatment when State or other applicable law requires or permits such
parental access. Parental access would be denied when State or other law
prohibits such access. If State or other applicable law is silent on a
parent's right of access in these cases, the licensed health care
provider may exercise his or her professional judgment to the extent
allowed by law to grant or deny parental access to the minor's medical
information.
Finally, as is the case with respect to all personal representatives
under the Privacy Rule, a provider may choose not to treat a parent as a
personal representative when the provider reasonably believes, in his or
her professional judgment, that the child has been or may be subjected
to domestic violence, abuse or neglect, or that treating the parent as
the child's personal representative could endanger the child.
If
a child receives emergency medical care without a parent's consent, can
the parent get all information about the child's treatment and
condition?
Generally, yes. Even though the parent did not consent to the treatment
in this situation, the parent would be the child's personal
representative under the HIPAA Privacy Rule. This would not be so when
the parent does not have authority to act for the child (e.g., parental
rights have been terminated), when expressly prohibited by State or
other applicable law, or when the covered entity, in the exercise of
professional judgment, believes that providing such information would
not be in the best interest of the individual because of a reasonable
belief that the individual may be subject to abuse or neglect by the
personal representative, or that doing so would otherwise endanger the
individual.
Does the HIPAA
Privacy Rule provide rights for children to be treated without parental
consent?
No. The Privacy Rule does not address consent to treatment, nor does it
preempt or change State or other laws that address consent to treatment.
The Rule addresses access to, and disclosure of, health information, not
the underlying treatment.
When an individual reaches the age of majority or
becomes emancipated, who controls the protected health information
concerning health care services rendered while the individual was an
unemancipated minor?
The individual who is the subject of the protected health information
can exercise all rights granted by the HIPAA Privacy Rule with respect
to all protected health information about him or her, including
information obtained while the individual was an unemancipated minor
consistent with State or other law. Generally, the parent would no
longer be the personal representative of his or her child once the child
reaches the age of majority or becomes emancipated, and therefore, would
no longer control the health information about his or her child. Of
course, any individual can have a personal representative which may
include a parent who can exercise rights on his or her behalf.
Can health care
providers, such as a specialist or hospital, to whom a patient is
referred for the first time, use protected health information to set up
appointments or schedule surgery or other procedures without the
patient's written consent?
Yes. The HIPAA Privacy Rule does not require covered entities to obtain
an individual's consent prior to using or disclosing protected health
information about him or her for treatment, payment, or health care
operations.
Are health care
providers restricted from consulting with other providers about a
patient's condition without the patient's written authorization?
No. Consulting with another health care provider about a patient is
within the HIPAA Privacy Rule's definition of "treatment" and,
therefore, is permissible. In addition, a health care provider (or other
covered entity) is expressly permitted to disclose protected health
information about an individual to a health care provider for that
provider's treatment of the individual. See 45 CFR 164.506.
Does the HIPAA Privacy
Rule restrict pharmacists from giving advice about over-the-counter
medicines to customers?
No. A pharmacist may provide advice to customers about over-the-counter
medicines. The Privacy Rule permits a covered entity to disclose
protected health information about an individual to the individual. See
45 CFR 164.502(a)(1)(i).
Can a patient have a friend or family member
pick up a prescription for her?
Yes. A pharmacist may use professional judgment and experience with
common practice to make reasonable inferences of the patient's best
interest in allowing a person, other that the patient, to pick up a
prescription. See 45 CFR 164.510(b). For example, the fact that a
relative or friend arrives at a pharmacy and asks to pick up a specific
prescription for an individual effectively verifies that he or she is
involved in the individual's care, and the HIPAA Privacy Rule allows the
pharmacist to give the filled prescription to the relative or friend.
The individual does not need to provide the pharmacist with the names of
such persons in advance.
Whatis the difference
between "consent" and "authorization" under the HIPAA Privacy Rule?
The Privacy Rule permits, but does not require, a covered entity
voluntarily to obtain patient consent for uses and disclosures of
protected health information for treatment, payment, and health care
operations. Covered entities that do so have complete discretion to
design a process that best suits their needs.
By contrast, an "authorization" is required by the Privacy Rule for uses
and disclosures of protected health information not otherwise allowed by
the Rule. Where the Privacy Rule requires patient authorization,
voluntary consent is not sufficient to permit a use or disclosure of
protected health information unless it also satisfies the requirements
of a valid authorization. An authorization is a detailed document that
gives covered entities permission to use protected health information
for specified purposes, which are generally other than treatment,
payment, or health care operations, or to disclose protected health
information to a third party specified by the individual. An
authorization must specify a number of elements, including a description
of the protected health information to be used and disclosed, the person
authorized to make the use or disclosure, the person to whom the covered
entity may make the disclosure, an expiration date, and, in some cases,
the purpose for which the information may be used or disclosed. With
limited exceptions, covered entities may not condition treatment or
coverage on the individual providing an authorization.
May a health care
provider disclose protected health information to a health plan for the
plan's Health Plan Employer Data and Information Set (HEDIS)?
Yes, the HIPAA Privacy Rule permits a provider to disclose protected
health information to a health plan for the quality-related health care
operations of the health plan, provided that the health plan has or had
a relationship with the individual who is the subject of the
information, and the protected health information requested pertains to
the relationship. See 45 CFR 164.506(c)(4). Thus, a provider may
disclose protected health information to a health plan for the plan's
Health Plan Employer Data and Information Set (HEDIS) purposes, so long
as the period for which information is needed overlaps with the period
for which the individual is or was enrolled in the health plan.
Does the HIPAA
Privacy Rule permit a covered entity or its collection agency to
communicate with parties other than the patient (e.g., spouses or
guardians) regarding payment of a bill?
Yes. The Privacy Rule permits a covered entity, or a business associate
acting on behalf of a covered entity (e.g., a collection agency), to
disclose protected health information as necessary to obtain payment for
health care, and does not limit to whom such a disclosure may be made.
Therefore, a covered entity, or its business associate, may contact
persons other than the individual as necessary to obtain payment for
health care services. See 45 CFR 164.506(c) and the definition of
"payment" at 45 CFR 164.501. However, the Privacy Rule requires a
covered entity, or its business associate, to reasonably limit the
amount of information disclosed for such purposes to the minimum
necessary, as well as to abide by any reasonable requests for
confidential communications and any agreed-to restrictions on the use or
disclosure of protected health information. See 45 CFR 164.502(b),
164.514(d), and 164.522.
Does the HIPAA
Privacy Rule prevent reporting to consumer credit reporting agencies or
otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
No. The Privacy Rule's definition of "payment" includes disclosures to
consumer reporting agencies. These disclosures, however, are limited to
the following protected health information about the individual: name
and address; date of birth; social security number; payment history; and
account number. In addition, disclosure of the name and address of the
health care provider or health plan making the report is allowed. The
covered entity may perform this payment activity directly, or may carry
out this function through a third party, such as a collection agency,
under a business associate arrangement.
The Privacy Rule permits uses and disclosures by the covered entity or
its business associate as may be required by the Fair Credit Reporting
Act (FCRA) or other law. Therefore, the Department does not believe
there is a conflict between the Privacy Rule and legal duties imposed on
data furnishers by FCRA.
Does the HIPAA Privacy
Rule prevent health plans and providers from using debt collection
agencies? Does the Privacy Rule conflict with the Fair Debt Collection
Practices Act?
The Privacy Rule permits covered entities to continue to use the
services of debt collection agencies. Debt collection is recognized as a
payment activity within the "payment" definition. See the definition of
"payment" at 45 CFR 164.501. Through a business associate arrangement,
the covered entity may engage a debt collection agency to perform this
function on its behalf. Disclosures to collection agencies are governed
by other provisions of the Privacy Rule, such as the business associate
and minimum necessary requirements.
The Department is not aware of any conflict between the Privacy Rule and
the Fair Debt Collection Practices Act. Where a use or disclosure of
protected health information is necessary for the covered entity to
fulfill a legal duty, the Privacy Rule would permit such use or
disclosure as required by law.
Are location
information services of collection agencies, which are required under
the Fair Debt Collection Practices Act, permitted under the HIPAA
Privacy Rule?
"Payment" is broadly defined as activities by health plans or health
care providers to obtain premiums or obtain or provide reimbursements
for the provision of health care. The activities specified are by way of
example and are not intended to be an exclusive listing. Billing, claims
management, collection activities and related data processing are
expressly included in the definition of "payment." See the definition of
"payment" at 45 CFR 164.501. Obtaining information about the location of
the individual is a routine activity to facilitate the collection of
amounts owed and the management of accounts receivable, and, therefore,
would constitute a payment activity. See 45 CFR 164.501. The covered
entity and its business associate would also have to comply with any
limitations placed on location information services by the Fair Debt
Collection Practices Act.
Won't
the HIPAA Privacy Rule's minimum necessary standard impede the ability
of workers' compensation insurers, State administrative agencies, and
employers to obtain the health information needed to pay injured or ill
workers the benefits guaranteed them under the State workers'
compensation system?
No. The Privacy Rule is not intended to impede the flow of health
information to those who need it to process or adjudicate claims, or
coordinate care, for injured or ill workers under workers' compensation
systems. The minimum necessary standard generally requires covered
entities to make reasonable efforts to limit uses and disclosures of, as
well as requests for, protected health information to the minimum
necessary to accomplish the intended purpose. For disclosures of
protected health information made for workers' compensation purposes
under 45 CFR 164.512(l), the minimum necessary standard permits covered
entities to disclose information to the full extent authorized by State
or other law. In addition, where protected health information is
requested by a State workers' compensation or other public official for
such purposes, covered entities are permitted reasonably to rely on the
official's representations that the information requested is the minimum
necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).
For disclosures of protected health information for payment purposes,
covered entities may disclose the type and amount of information
necessary to receive payment for any health care provided to an injured
or ill worker.
The minimum necessary standard does not apply to disclosures that are
required by State or other law or made pursuant to the individual's
authorization.
Does an individual have
a right under the HIPAA Privacy Rule to restrict the protected health
information his or her health care provider discloses for workers'
compensation purposes?s
Individuals do not have a right under the Privacy Rule at 45 CFR
164.522(a) to request that a covered entity restrict a disclosure of
protected health information about them for workers' compensation
purposes when that disclosure is required by law or authorized by, and
necessary to comply with, a workers' compensation or similar law. See 45
CFR 164.522(a) and 164.512(a) and (l).
Does the HIPAA
Privacy Rule permit a health care provider to disclose an injured or ill
worker's protected health information without his or her authorization
when requested for purposes of adjudicating the individual's workers'
compensation claim?
Covered entities are permitted to disclose protected health information
for such purposes as authorized by, and to the extent necessary to
comply with, workers' compensation law. See 45 CFR 164.512(l). In
addition, the Privacy Rule generally permits covered entities to
disclose protected health information in the course of any judicial or
administrative proceeding in response to a court order, subpoena, or
other lawful process. See 45 CFR 164.512(e).
Are hospitals or other
health care providers required to provide their notices to patients they
treat in an emergency?
Hospitals and other covered health care providers with a direct
treatment relationship with individuals are not required to provide
their notices to patients at the time they are providing emergency
treatment. In these situations, the HIPAA Privacy Rule requires only
that providers give patients a notice when it is practical to do so
after the emergency situation has ended. In addition, where notice is
delayed by an emergency treatment situation, the Privacy Rule does not
require that providers make a good faith effort to obtain the patient's
written acknowledgment of receipt of the notice.
Does the HIPAA
Privacy Rule require a health care provider to obtain a new
acknowledgment of receipt of the notice from patients if the facility
changes its privacy policy?
No. A covered health care provider with a direct treatment relationship
with individuals is required to make a good faith effort to obtain an
individual's acknowledgment of receipt of the notice only at the time
the provider first gives the notice to the individual--that is, at first
service delivery. See 45 CFR 164.520(c)(2).
How are health care providers supposed to provide the notice to
individuals and obtain their written acknowledgment of the notice when
the first treatment encounter is over the phone or in some other manner
that is not face-to-face?
The HIPAA Privacy Rule is intended to be flexible enough to address the
various types of relationships that covered health care providers may
have with the individuals they treat, including those treatment
situations that are not face-to-face. For example, a health care
provider who first treats a patient over the phone satisfies the notice
provision requirements of the Privacy Rule by mailing the notice to the
individual the same day, if possible. To satisfy the requirement that
the provider also make a good faith effort to obtain the individual's
acknowledgment of the notice, the provider may include a tear-off sheet
or other document with the notice that requests that the acknowledgment
be mailed back to the provider. The health care provider is not in
violation of the Rule if the individual chooses not to mail back an
acknowledgment; and a file copy of the form sent to the patient would be
adequate documentation of the provider's good faith effort to obtain the
acknowledgment.
Where a health care provider's initial contact with the patient is
simply to schedule an appointment or a procedure, the notice provision
and acknowledgment requirements may be satisfied at the time the
individual arrives at the provider's facility for his or her
appointment.
For service provided electronically, the notice must be sent
electronically automatically and contemporaneously in response to the
individual's first request for service. In this situation, an electronic
return receipt or other return transmission from the individual is
considered a valid written acknowledgment of the notice.
As a pediatrician, am I
required to give my notice of privacy practices to the children I treat?
The HIPAA Privacy Rule requires a covered health care provider with a
direct treatment relationship with the individual to provide the notice
to the individual receiving treatment no later than the date of first
service delivery. In cases where the individual has a personal
representative, as is generally the case when a parent brings a child in
for treatment, the provider satisfies the notice distribution
requirements by providing the notice to the personal representative
(e.g., the child's parent), and making a good faith effort to obtain the
personal representative's acknowledgment of the notice. In the limited
cases where the parent is not the personal representative of the
unemancipated minor, such as when the minor is authorized under State
law to consent to the treatment and does so, the provider must give its
notice to the minor and make a good faith effort to obtain the minor's
acknowledgment of the notice. See 45 CFR 164.502(g)(3) and
164.520(c)(2).
Are health care
providers required by the HIPAA Privacy Rule to post their entire notice
at their facility or may they post just a brief description of the
notice?
Covered health care providers that maintain an office or other physical
site where they provide health care directly to individuals are required
to post their entire notice at the facility in a clear and prominent
location. The Privacy Rule, however, does not prescribe any specific
format for the posted notice, just that it include the same information
that is distributed directly to the individual. Covered health care
providers have discretion to design the posted notice in a manner that
works best for their facility, which may be to simply post a copy of the
pages of the notice that is provided directly to individuals.
Can a covered entity
bypass obtaining an individual's authorization for a use or disclosure
not permitted by the HIPAA Privacy Rule simply by informing individuals
of the use or disclosure through its notice of privacy practices?
No. A covered entity's notice is not a substitute for an individual's
authorization. Covered entities are required to obtain the individual's
written authorization for any use or disclosure of protected health
information not permitted or required by the Privacy Rule. See 45 CFR
164.508. Simply including in the notice a description of such a use or
disclosure does not obviate the need for the covered entity to obtain
the individual's prior written authorization, when that authorization is
required by the Rule. Instead, the notice must reflect the uses and
disclosures a covered entity may make without the individual's
authorization, as permitted by Privacy Rule, as well as state that any
other uses or disclosures only will be made with the individual's
written authorization. See 45 CFR 164.520(b).
Is our medical practice
required to notify patients through the mail of any changes to our
notice?
No. The HIPAA Privacy Rule does not require a covered health care
provider to mail out its revised notice or otherwise notify patients by
mail of changes to the notice. Rather, when a covered health care
provider with a direct treatment relationship with individuals makes a
change to his notice, he must make the notice available upon request to
patients or other persons on or after the effective date of the
revision, and, if he maintains a physical service delivery site, post
the revised notice in a clear and prominent location in his facility.
See 45 CFR 164.520(c)(2)(iv). In addition, the provider must ensure that
the current notice, in effect at that time, is provided to patients at
first service delivery, and made available on his customer service web
site, if he has one. See 45 CFR 164.520(c).
Is a physician required to
give her notice to every patient or can she just post the notice in her
waiting room and give a copy to those patients who ask for it?
The HIPAA Privacy Rule requires a covered health care provider with
direct treatment relationships with individuals to give the notice to
every individual no later than the date of first service delivery to the
individual and to make a good faith effort to obtain the individual's
written acknowledgment of receipt of the notice. If the provider
maintains an office or other physical site where she provides health
care directly to individuals, the provider must also post the notice in
the facility in a clear and prominent location where individuals are
likely to see it, as well as make the notice available to those who ask
for a copy. See 45 CFR 164.520(c) for other notice provision
requirements.
If patients request
copies of their medical records as permitted by the Privacy Rule, are
they required to pay for the copies?
The Privacy Rule permits the covered entity to impose reasonable,
cost-based fees. The fee may include only the cost of copying (including
supplies and labor) and postage, if the patient requests that the copy
be mailed. If the patient has agreed to receive a summary or explanation
of his or her protected health information, the covered entity may also
charge a fee for preparation of the summary or explanation. The fee may
not include costs associated with searching for and retrieving the
requested information. See 45 CFR 164.524.
Can a physician's office FAX
patient medical information to another physician's office?
A: The HIPAA Privacy Rule permits physicians to disclose protected
health information to another health care provider for treatment
purposes. This can be done by fax or by other means. Covered entities
must have in place reasonable and appropriate administrative, technical,
and physical safeguards to protect the privacy of protected health
information that is disclosed using a fax machine. Examples of measures
that could be reasonable and appropriate in such a situation include the
sender confirming that the fax number to be used is in fact the correct
one for the other physician's office, and placing the fax machine in a
secure location to prevent unauthorized access to the information. See
45 CFR164.530(c).
Does the HIPAA Privacy Rule permit a doctor
to discuss a patient's health status, treatment, or payment arrangements
with the patient's family and friends?
Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities
to share information that is directly relevant to the involvement of a
spouse, family members, friends, or other persons identified by a
patient, in the patient's care or payment for health care. If the
patient is present, or is otherwise available prior to the disclosure,
and has the capacity to make health care decisions, the covered entity
may discuss this information with the family and these other persons if
the patient agrees or, when given the opportunity, does not object. The
covered entity may also share relevant information with the family and
these other persons if it can reasonably infer, based on professional
judgment, that the patient does not object. Under these circumstances,
for example:
- A doctor may give information about a patient's mobility limitations to a
friend driving the patient home from the hospital.
- A hospital may discuss a patient's payment options with her adult daughter.
- A doctor may instruct a patient's roommate about proper medicine dosage when
she comes to pick up her friend from the hospital.
- A physician may discuss a patient's treatment with the patient in the presence
of a friend when the patient brings the friend to a medical
appointment and asks if the friend can come into the treatment room.
Even when the patient is not present or it is impracticable because of emergency
circumstances or the patient's incapacity for the covered entity to ask
the patient about discussing her care or payment with a family member or
other person, a covered entity may share this information with the
person when, in exercising professional judgment, it determines that
doing so would be in the best interest of the patient. See 45 CFR
164.510(b). Thus, for example:
- A surgeon may, if consistent with such professional judgment, inform a
patient's spouse, who accompanied her husband to the emergency room,
that the patient has suffered a heart attack and provide periodic
updates on the patient's progress and prognosis.
- A doctor may, if consistent with such professional judgment, discuss an
incapacitated patient's condition with a family member over the
phone.
In addition, the Privacy Rule expressly permits a covered entity to use professional
judgment and experience with common practice to make reasonable
inferences about the patient's best interests in allowing another person
to act on behalf of the patient to pick up a filled prescription,
medical supplies, X-rays, or other similar forms of protected health
information. For example, when a person comes to a pharmacy requesting
to pick up a prescription on behalf of an individual he identifies by
name, a pharmacist, based on professional judgment and experience with
common practice, may allow the person to do so.
Does the HIPAA
Privacy Rule allow parents the right to see their children's medical
records?
Yes, the Privacy Rule generally allows a
parent to have access to the medical records about his or her child, as
his or her minor child's personal representative when such access is not
inconsistent with State or other law.
There are three situations when the parent
would not be the minor's personal representative under the Privacy Rule.
These exceptions are: (1) when the minor is the one who consents to care
and the consent of the parent is not required under State or other
applicable law; (2) when the minor obtains care at the direction of a
court or a person appointed by the court; and (3) when, and to the
extent that, the parent agrees that the minor and the health care
provider may have a confidential relationship. However, even in these
exceptional situations, the parent may have access to the medical
records of the minor related to this treatment when State or other
applicable law requires or permits such parental access. Parental access
would be denied when State or other law prohibits such access. If State
or other applicable law is silent on a parent's right of access in these
cases, the licensed health care provider may exercise his or her
professional judgment to the extent allowed by law to grant or deny
parental access to the minor's medical information.
Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may
choose not to treat a parent as a personal representative when the
provider reasonably believes, in his or her professional judgment, that
the child has been or may be subjected to domestic violence, abuse or
neglect, or that treating the parent as the child's personal
representative could endanger the child.
Does
the HIPAA Privacy Rule permit a covered entity or its collection agency
to communicate with parties other than the patient (e.g., spouses or
guardians) regarding payment of a bill?
Yes. The Privacy Rule permits a covered
entity, or a business associate acting on behalf of a covered entity
(e.g., a collection agency), to disclose protected health information as
necessary to obtain payment for health care, and does not limit to whom
such a disclosure may be made. Therefore, a covered entity, or its
business associate, may contact persons other than the individual as
necessary to obtain payment for health care services. See 45 CFR
164.506(c) and the definition of "payment" at 45 CFR 164.501. However,
the Privacy Rule requires a covered entity, or its business associate,
to reasonably limit the amount of information disclosed for such
purposes to the minimum necessary, as well as to abide by any reasonable
requests for confidential communications and any agreed-to restrictions
on the use or disclosure of protected health information. See 45 CFR
164.502(b), 164.514(d), and 164.522.
|
|
