I am a photojournalist doing photography work for Paramedic Text books and Paramedic trade journals and for the EMS agency itself to use the material for training, etc. The EMS agency is willing to allow me to ride to calls with EMS crews to obtain this material. I understand that in a patient's home I cannot photograph the paramedics unless I have approval from the patient and the EMS crew feels it will not be a determent to the patient. Furthermore I am bound by third party laws pertaining to invasion of privacy and would always need to secure consent and obtain a signed release before any publication. This is required even if there were no HIPAA requirements. The same goes for any photographs of the patient in the ambulance.
We have prepared a release for publication for the patient to sign.
I understand that as a photojournalist I am not considered a HIPAA entity
however I must take steps to ensure the EMS agency is not violating any
HIPAA privacy laws. Have I covered all of the bases as it pertains to
HIPAA? Is there anything that we are doing that might not meet HIPAA
I work with a major healthcare administrator who is looking at
outsourcing the folding/inserting and mailing of forms and billings. I
believe that having the mail house personnel handle these items would be a
violation of privacy issues. An I correct?
The following link will take you to a sample business associate
I work in an acute care setting and often we receive attorney
requests for patients they are representing. The request states production
of "any and all" records. Under the minimum necessary standard, shouldn't
we be asking the attorney to be more specific and spell out any dates of
service they need to adequately litigate case for the patient? Our
correspondence clerks feel that they have to go into cold storage and copy
all visit records from 7-10 years prior.
If the release of information is requested as a court order or in a dispute you must follow those specific guidelines. You can find the actual privacy regulation and download from the following link
I am the Records Manger for El Paso County in Colorado Springs,
Colorado. The function of my department is to store documents for the
various office/departments throughout the county and retrieve the files
when they are needed. When a document is needed, the user sends an email
to our Help Desk with the indexing information and creates a work ticket.
This ticket is printed on our printer (which is located in a locked office
area) and we use this to look up the box location. The work ticket is kept
in a filing cabinet until the document is returned. When the document is
returned, the work ticket is placed in a recycle bin where the papers will
be shredded. We store medical files for the inmates under the Sheriff’s
office and medical files for the Health Department. When either one of
these users need a file, the information emailed is a name only for the
Health department and a name, admit number and sometimes a date of birth
or a social security number for the Sheriff. The email is sent to a
distribution list that includes four people working on the help desk and
the three Records Center staff members. My question is this: are there any
HIPAA violations by handling the requests in this fashion?
My wife has been to several doctors to try to find out why she has
tremendous pain in her leg. She was finally referred to a "Pain Management
Clinic". Every doctors office we have been to allowed me, her spouse, to
accompany her to the exam room on the very first and subsequent visits,
but this "Pain Management Clinic" refused to allowed me to accompany her
during the initial exam. They stated that due to the new "HIPAA"
regulations, no one but the patient is allowed during the initial exam. Is
this true? Does the HIPAA rules state this? Or is this possibly just the
protocol of this particular office?
Is it considered a violation of HIPAA if a nursing student of an
accredited school reviews their own medical chart at a hospital?
Especially if no information was altered or passed on beyond that student
I work for an ambulance service that transports patients to and from
hospitals, extended care facilities and home address. Is it against HIPAA
to look at the patients packet of medical paper work that is given to us
from the hospital and or medical facility's. A lot of the time we have to
look at the records to find out what is wrong with the patient or
We are self-funded and self-insured for our health plan. Can you
help with a hypothetical situation? A police officer has a hospital stay
and in the medical notes I find out he has Hepatitis. He is returning to
work as a police officer, is there any information that I can share with
his Police Chief that he has a contagious disease because he will be
around fellow police officers and the public? So far from what I have read
I see no exclusion unless he signs an authorization for me to share this
The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices. See the fact sheet and frequently asked questions on this web site about the public health provision for more information.
Therefore, you should follow your state's protocol and report the information to the public health agency and not to the Police Chief. The agency will follow correct protocol if a danger to others is anticipated. (Posted 2/10/04)
I work in the HR Dept. at a medium sized company and, as a
department, We would like to send get well cards to employees who are out
on FMLA/Medical Leave. Could this be considered a violation of HIPAA?
I am working with an insurance company to produce materials that
encourage their insured customers to live healthier lifestyles that would
lower insurance and healthcare cost over time. I would like to compare use
of healthcare services at the beginning of the project to levels of use
one year later. Can insurance companies publish statistics based on
patient data regarding use of healthcare services?
I work for an insurance company in Oklahoma. The company's name is
Old Surety Life Insurance Company. It is owned by Enterprise Holding
Company. Enterprise Holding Company also owns Enterprise Marketing
Corporation which is an insurance agency. Old Surety Life, the insurance
company, has approx. 10,000 medicare supplement insurance policyholders.
Can Old Surety Life Insurance Company provide basic information to
Enterprise Marketing Corporation about it's policyholders such as name,
address, city, state, zip, DOB, and agent without disclosing to the
policyholders that it is sharing this information? Can Old Surety Life
Insurance Company provide this same basic information to Enterprise
Marketing Corporation about it's policyholders such as name, address,
city, state, zip, DOB, and agent if it provides a value added benefit?
The following link will provide additional guidance concerning marketing. This link will take you to the Marketing Fact Sheet developed by HHS. http://hhs.gov/ocr/hipaa/guidelines/marketing.pdf (Posted 2/10/04)
Are sign in sheets allowed to be used in the patient area?
I work for a Manufacturing Co who has posted notices that all Dr.
excuses must have the diagnosis on them. This seems that this is a privacy
issue. I don't know where or who might see this information.
The medical office, which I visited recently, provided my personal
information to a laboratory, where my test has been performed without my
permission to use this information . I received to my home address the
giant bill for this test. The staff of medical office didn't make me aware
that this test must be done outside and is supposed to be paid directly to
the laboratory. Was there a violation of my privacy from the side of
medical office, because I didn't sign ANY paper to release my information
out of this office?
I am in a custody case and my ex wife's attorney subpoenaed several
local hospitals. Without my knowledge or consent and without a court
order, the hospital disclosed my medical records going back over 20 years.
Assuming this is a violation of my rights under the new law, what action
can I take?
We are a pediatric clinic and all PHI maintained is regarding our
pediatric patients. I understand the HIPAA standards regarding disclosure
for judicial/administrative activities and law enforcement purposes. My
question is: what if law enforcement were to ask us for information
regarding the parent of a pediatric patient for identification/location,
warrant or process, etc. Demographic information for the
parent/patient/family is contained within the patient's PHI.
My friend's father has just been hospitalized for a serious illness
and cannot communicate. He is in a semi-coma state. He is married to his
second wife and the hospital and physicians will only release information
to her. She is in her 80s and is not in a position to make effective
decisions or understand what the providers are recommending. She
acknowledges this and is willing to allow my friend to be the decision
maker on her father's care but the facility and providers will not release
any information to my friend. Unfortunately, this illness was unforeseen
and there is no HIPAA authorization on file to allow release of info to
anyone. Because the spouse is considered next of kin, this is the only
person they will deal with and it may be jeopardizing this man's health.
Is there anything my friend can do?
Can a close friend call a doctor's office and request prescriptions
for medication for that friend? Would there need to be authorization for
that friend to receive those prescriptions?
A representative from the Dept. of Health in my state told the local paper that they cannot divulge the number of flu deaths in each county, as that would be a HIPAA violation. "According to Health Department Spokesperson Ann Wright, the state is prohibited by HIPPA laws from revealing which counties have reported flu deaths. There have been 13 deaths statewide, with one younger than the age of 21. " (The Baxter Bulletin, Dec. 24, 2003).
I say it isn't a violation because you are not identifying patients
in any way, just a collective number. Why would it be OK to divulge the
statewide total and not county total? I think they just don't want to tell
the number and are using HIPAA as an excuse.
I have been told that it is necessary to use a shredder that cross
cuts as opposed to one that just strip cuts paper. Is this true?
We are contemplating digitizing our medical records. If we make
electronic copies of our records, are we required to keep a hard copy of
the record and are there any HIPAA ruling that preclude us from doing the
There seems to be some conflict in the hospital about the hospital
policy and the actual signed request of the patient concerning contacting
the patient for out patient services after discharge, specifically,
Diabetic Education. I would like to see a complete updated copy of the
HIPAA ACT. Hospitals at present do not send the signed HIPA papers with
the admission to the out patient services. Please advise about acquiring
the actual HIPAA Updated ACT and information about the protocol for the
Hospital to admit a patient to the out patient educational services
without including their HIPAA signed paper work.
I am employed as an RN. My primary responsibility is Critical Care
Transport of patients that occur interfacility. Secondarily, we conduct
follow up reports on our patients. Is is a violation of HIPAA to request
patient information from a primary caregiver of that patient at another
facility? The majority of our patients are critically ill and unable to
speak or make their own judgements. I have been denied information
numerous times despite telling the caregiver that our phone calls are part
of a QA process.
I work for a private clinic that leaves the exam room doors open
while performing an exam. The exam does not require the patient to
disrobe. Does HIPAA require that the exam room doors be closed during an
We have an employee who took a second (moonlighting) job, which is
permitted by our rules. We contacted the other employer to confirm that
the employee’s scheduled hours did not overlap with our scheduled hours,
and to see if he was eligible for health care benefits at his new
employer. We were told that they could not reveal if he was receiving
health care benefits because of HIPAA? Is this correct?
Are there any HIPAA restrictions concerning Church ministers
visiting hospital patients? If there are, what are they? I am a church
laymen and I'd like to visit hospital patients to help lighten the load
for the church staff but the staff is reluctant to allow it for fear of
I work for a Hospital in Iowa as an RN. My personal information
address was obtained by another staff member, either by the hospital
giving it out through Human Resources or obtained from our computer system
when I was a patient. Can HR give out my person info to another employee?
Is it illegal for the employee to obtain the info. from my recent
What I would need to do if I knew of an office that was not HIPAA
regulated yet. The office that I used to work at is not. Insurance
claims are not even getting paid because the practice is not in the rules
and regulated yet! Do you know who I can contact to let someone know this
important information? They are not even keeping patient information
I am a registered nurse in an emergency department. It seems that
with all the new HIPAA regulations everyone is afraid to discuss anything
with anyone. I think it is being blown out of proportion and I don't think
that is the intention of the HIPAA regulations. My specific question is
this: If social services is called in to investigate a situation where a
child was involved in an automobile accident where the mother (the driver)
was very much under the influence, can we share information with social
service to assist them with their investigation. Can we reveal such things
as drug testing and other information related to the mother's condition at
the time of the accident in order to protect the child? Also, can
information be shared with police?
We offer an "Ask the Dr." feature on our website. I was going over
some information about the requirements of getting an acknowledgement of
receipt of the notice of privacy practices. I read that the rule requires
that we send the notice to the patient if their first request for service
is electronic and attempt to get this acknowledgement. Does this apply to
the "Ask the Dr." feature on our website when our Dr. replies to the
potential patient? And if this a requirement do you have any suggestion as
to how we are to track these if the patient hasn't actually "become a
patient" in our office?
My nephew is in the hospital and his father brought a friend down
there with him to visit and we were wondering if this is HIPAA violation.
My sister asked the nurse if she could stop this person from being in the
room and the nurse said that as long as they were invited to come down
they had the right to be there. I am very concerned with this because no
one knows this person and I am afraid that the wrong person might find out
about my nephew and his condition. Is this a HIPAA violation that the
hospital let someone in the room that is not a family member or friend of
the families hear about my nephew's condition?
Are medical transcription services that use typists from overseas
actually HIPAA compliant?
October 27, 2003
Under the bill, state hospitals would likely be prevented from outsourcing transcription work unless they could verify that all related files stay in the country, which would make hospitals responsible for any subcontracting issues. Sen. Liz Figueroa (D-Fremont) will introduce the bill in January when the state Senate returns for its regular session, the Chronicle reports. Figueroa expects the health care industry to fight the legislation, but she said that because of the public’s increased concern about privacy issues, the bill will eventually pass (Lazarus, San Francisco Chronicle, 10/26).
In the UCSF incident, the Pakistani transcriber, Lubna Baloch, on Oct. 7 sent an e-mail to UCSF threatening to post all the voice files and patient records from the UCSF Parnassus and Mt. Zion campuses on the Internet unless she received money that a subcontractor allegedly owed her. Baloch attached to the e-mail actual files with dictation from UCSF physicians. After she received a portion of the $500 that she said she was owed, Baloch on Oct. 8 sent UCSF an e-mail withdrawing her threats (iHealthBeat 10/23).
This is the first time an overseas transcriber has used confidential medical records against a U.S. hospital, the Chronicle reports (San Francisco Chronicle, 10/26). (Posted 11/14/03)
I work in a pharmacy and we need to get refill authorization for
people's medications. The computer was programmed with the wrong
information as to where the doctor was located at. (She practiced mental
health at this facility and then moved to another clinic). Well we faxed a
refill request on the proper form to the phone number in the computer and
it came back to us saying she did not practice at that facility anymore.
Was that a violation of HIPAA policies? The pharmacist says it is, well
another pharmacist says it wasn't.
Can my health care provider fax information to an insurance company
(or any other company as far as that goes) without my knowing it or
authorizing it ?
We are a family practice referring a worker's compensation patient
to an ortho. When the nurse called the physician's office to make the
referral appointment the nurse was told due to HIPAA our office could not
make the appointment and the employer would have to. Under HIPAA it is our
understanding we can use the patient's info for treatment and of course,
the referral is for treatment. What documentation could we share with this
office to show them a referral from one doctor to another, even for
workers compensation, is covered?
Must a covered entity get an authorization to release PHI of its
employee for FMLA?
The Privacy Rule requires Business Associate agreements to include
certain things - 164.504(e)(2)(ii)(E),(F) & (G) requires the agreement to
state that the Business Associate will make PHI available for patient
access, amendment and for an accounting of disclosures. For the agreement
with our document destruction service, should those items be left out of
the agreement, or should they be included as required, even though they do
not apply for the service they perform?
My question is concerning chart security. We are Oral-Facial
Surgeons and have three locations. The patient charts in all three
locations are not accessible to the patients or the general public. Both
the office buildings and the offices are locked at night and off-hours,
but the charts are not locked in a separate room or area within the
offices. Our question is- how ‘secure’ must these patient charts be? Must
they be under lock and key in individual cabinets or simply secure within
I work in the insurance industry and deal directly with bodily
injury/liability claims. In order to obtain medical records we obtain
written permission from our claimants to request medical records from the
providers they list on the form. While we have tailored or Medical
Authorization form to meet HIPAA guidelines, we frequently find that
specific medical institutions reject our form because it doesn't meet
guidelines they have instituted beyond HIPAA's compliance guidelines.
Would you please provide a run down of what a basic Request for Medical
Information Authorization form should contain, also, in your opinion does
a provider have a right to reject our authorization form because it lacks
details they deem necessary but are not HIPAA compliant?
You can find the actual privacy regulation and download from the following link http://www.hhs.gov/ocr/combinedregtext.pdf . Refer to section 164.512(e). And finally to answer your question concerning the right to reject your authorization form due to lack of HIPAA compliance, I would agree that they do have this right. Before they release information they must be secure that they are following HIPAA guidelines and in many cases must account for disclosures and also need this information. (Posted 10/28/03)
How do I make a subpoena requesting medical records for a legal
proceeding HIPAA compliant? Each hospital seems to have their own rules.
If the release of information is requested as a court order or in a dispute you must follow those specific guidelines in addition to the above minimum requirements. You can find the actual privacy regulation and download from the following link http://www.hhs.gov/ocr/combinedregtext.pdf. Refer to section 164.512(e). (Posted 10/28/03)
I am a new practice manager for a plastic surgery office. We have a
statement which patients read but currently do not sign. Is it mandatory
(or recommended) that each patient sign this form indicating our
notification and compliance with the new HIPPA law?
We are a mid-size office and we currently charge patients $25.00 for
their medical records. We have been told that per HIPAA, offices are not
allowed to charge for medical records. Is this true? I have not been able
to find anything specific on the subject.
The fee must include only the cost of:
Therefore, you should assess if the $25.00 fee is reasonable and only covers the cost permitted by the regulation. (Posted 10/15/03)
Is there such a thing as "HIPPA compliant shredders"? The rumor
around here is that we must have shredders that "cross-cut" in order to be
When you think of disposing documents, papers, notes, etc. that contain protected health information (PHI), you must remember that this information is in your care and therefore you should take precautions to dispose of it so that the PHI is protected. If your current shredder allows PHI to be visible you may want to revisit the shredder issue but bear in mind the regulation does not endorse any shredding companies or process. Keeping your goal in mind should certainly guide your policy. (Posted 10/15/03)
Does HIPAA change the right of a defendant to subpoena the patient's
medical records with notice but without authorization when the patient
institutes civil litigation claiming total disability??
I have a question about patient privacy concerns. Last week I
visited my physician’s office to see if previous health records from a
former doctor had been received and placed into my current medical chart.
The clerks at the office looked through my file and said some records had
been received. When I asked to see the copies in my chart, to determine if
they were the right information, I was told that I was not allowed to look
at my chart! I was not allowed to look at ANY of my chart, even though I
was standing right there! When questioned, the staff informed me that this
was a rule of the new HIPPA regulations, and that I was not allowed to
look at my chart. I found this to be unbelievable and felt that they were
perhaps interpreting the HIPPA regulations incorrectly. Can you please
explain this to me?
I am trying to find a form for a psych authorization form. do you
know where I can find that?
I work in small private non-profit alcohol/drug treatment agency. My
agency works with the local drug court and performs two separate functions
for the drug court. We provide case management and the year long drug
court treatment. Each client has a case manager and a treatment counselor.
To make record keeping more efficient we have elected to have a case
management file that the case manager is responsible for and a treatment
file that the treatment counselor is responsible for. When the client has
completed the drug court program the files will be combined for long term
storage. Is it compliant to have two files on one client within the same
We are a New York PT provider treating a patient injured and treated
in Florida. We wish to get copies of the MRI and other records from the
Florida health care providers. The Florida provider requests an
authorization. Do we need an authorization? This is W/C. She has signed
our consent form allowing use and disclosure for treatment, operations and
I was wondering if all patient files must be locked up after hours.
If so, what part of the HIPAA requires it?
This information can be found in section 164.530(c)(1)- (2)
Locking up files at the end of the day seems to be a reasonable measure for protection of PHI and therefore it is advisable to pursue this process. (Posted 10/15/03)
I am a hearing officer for a state Unemployment Appeals Agency
adjudicating cases under our states Unemployment Compensation Law. Under
HIPAA ,are employers, which have medical information about a former
employee, prevented from presenting this information in an appeals hearing
regarding that employees reason for separation, without the former
HIPAA requires "covered entities" to protect certain categories of information that qualify as "protected health information" under its provisions. The HIPAA regulations state that individually identifiable health information in employment records held by a covered entity in its role as an employer is not "protected health information." (45 C.F.R. §164.501). The HHS explains it this way:
Medical information needed for an employer to carry out its obligations under the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and similar laws, as well as the files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer. 67 Fed. Reg. 53, 192 (Aug. 14, 2002).
This type of medical information is a necessary part of the employer's official function, and the law permits employers to collect and maintain it. It is not HIPAA-protected, BUT is still subject to state laws on privacy! It should be treated as confidential information.
A follow-up question: If the employer is a hospital and contracts
with an organization to provide employee assistance programs for their
employees, including treatment for substance abuse, are the records of
collection, chain of custody, and methodology of testing of urine, blood,
and hair samples, and the test results protected health information that
the employer would be liable under the act if given as evidence in an
appeals hearing with out the former employees permission?
We have a dental practice that treats families. Our question is when a parent brings in a child that is a new patient and signs an Notice of Privacy Practices form on behalf of their child and then comes in a few days later with another one of their children who is also a new patient-does the parent need to sign a separate NPP form for that child as well or can the first form that they signed be designated for all of their children ?? You can certainly provide one copy of the NPP for each family and ask that they sign receipt and apply to all of their children so that you may enter this in your database or place copies in each of the charts. If this is the form you are referring to, the idea is that the individual and in this case that is the parent understands your policies in regards to use and disclosure of protected health information as well as their rights in regards to this information. Therefore one NPP receipt applied to all of the children's records should be sufficient but make sure the parent understands that you will be including this in each of those records. (Posted 10/15/03)
We are a long term care facility and we have held open meetings for
the families of patients where names of our residents may be used by
family members. Are we or would we be out of compliance in an open forum
like this? What would you recommend to solve this question?
We are a pediatrics clinic and we occasionally have "coloring
contests" and display the pictures on our hallway bulletin board with the
child's name and age displayed. Also, we occasionally display halloween
"pumpkins" with the child's name signifying contribution to March of
Dimes, etc. Is this considered disclosure of PHI - do we need the parent's
authorization - or should we cease these activities?
My mother in law recently received a letter from her attorney in which he specifically cites the new HIPAA laws and how they affect the release of information to family members. In his letter, he points out that "Many of you have already signed HIPAA release forms at your doctor's office, pharmacy, or hospital. These releases are for your Health Insurance Company and Medicare and authorize the release of information to them. They do not release information to your family or agents."
He has offered to provide a form at a cost of $125 for the initial authorization (e.g. family member 1) and $50 for each member after that.
My question is this: Can this be done with her provider? Would it be
acceptable under the HIPAA regulations to sign an authorization with her
physician and hospital to release medical information to selected family
members? Is it necessary to work through an attorney to accomplish this?
I have an associate who believes that his mother may have
Alzheimer's disease. However, this associate's mother requested that her
doctors not give out any information to anyone concerning her condition,
including her family. He is extremely worried about her. What does he need
to do to find out what his mother's condition is?
We are a residential substance abuse treatment facility located in
Vermont. Often, our clients/residents come to us either from a
correctional facility or at the recommendation of a probation officer. My
questions regarding patient privacy are:
In regards to the consent/authorization which is signed with the correctional institute, you should definitely notify that agency/ P.O. or whomever is the designate regarding revoking that consent as this was the originator of the consent.
I believe you are referencing an authorization form in your second question and yes you may use a single form but must stipulate the intended use, recipient of the information, dates, etc. as noted in the guidelines. There are some exceptions concerning multiple use noted in the regulations. The form could have fill in the blank information and also note all departments but the actual agency or department must be addressed by some method. (Posted 10/15/03)
On page 9 of your Privacy FAQs you stated that “The acknowledgement
of receipt of the NPP needs to be obtained once unless the NPP has been
changed.” It also states “The new NPP must then be distributed
immediately.” In training, I was told that only if we make material
changes to the NPP do we need to distribute it and that as long as the
most current NPP is on our website we do not need to re-distribute.
Also that we do not need to get another signed acknowledgement. Please
Furthermore, the covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. [164.520(b)(3)]
And as a covered health care provider that has a direct treatment relationship with an individual, you must whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section. [164.520(c)(2)(iv)] This applies to posting the notice, revising the website posting, and having a copy of the notice available upon request.
In regards to the signed acknowledgement the regulation does not note specifically that you must get a new signature. However, it makes good business sense that when you make a material change and you are providing this information to an individual, you would document that the individual has received this new document or has knowledge of the changes. An acknowledgement signature would surely provide this proof. (Posted 10/15/03)
I work in a busy hospital ambulatory procedure department. Our
waiting room is directly across from the nurse's station, and discussions
about patient care can be overheard in the waiting room quite easily, even
when voices are kept low. Because facilities are not required to make
structural changes, other than cautioning the staff and doctors, does
anything else need to be done?
How can I find out more information on requirements for patient
record retention. Is it true that records must be kept for the life of the
HIPAA speaks of a 6 year retention for Privacy policies and procedures, accounting of disclosures, etc. The actual medical record retention is governed by federal health record requirements outlining record retention. Each state also has its own separate retention standards and regulations. And accreditation agencies may also have their own retention standards requirements.
You can also look to the American Health Information Management Association (AHIMA) for guidance on this topic. (Posted 9/8/03)
I would like a definition for "individually identifiable
This is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. In other words it is the information that can actually link a patient to health information.
IIHI can actually identify an individual or provide a reasonable basis for identifying the individual.
The list of identifiers can be found in section 164.514 of the Standard. (Posted 9/8/03)
Is there is a limit to how much can be charged per page or per hour
to prepare a patients request for health information?
I work for a small company that has business associate agreements
with the physicians and facilities, we offer new technology in the
marketplace, we are running into a problem in getting the insurance
companies to verify patient eligibility and benefits, even though we have
signed contracts in place. We do all the billing and negotiation of the
claim prior as usually we are billing for an unlisted CPT code that
currently has no designation. What do I do to overcome the challenges of
getting benefits from the insurance companies?
Where should the charts be kept when the patient is to be seen
and is in the exam room? Should they be in the room, outside on the door,
outside the door on the wall? Or somewhere else?
I am looking to get an answer for the following concern of ours: Do
we have to take off resident's name from the doors, how about the working
folders on the unit?
What are the limits specified in the act for release of medical
information to family members who are inquiring about a hospitalized
individual? Is there a difference if there is a medical power of attorney
form on file?
What many providers are doing involve getting a listing from the patient during registration of who a designated contact person or two will be. If this is done verbally, it is documented at the time of instruction. The notation is then consulted whenever inquiries are made of the provider for information on the patient.
It is understandable that this is causing a lot of agitation for family members. However, providers have taken it upon themselves as a precaution to avoid disclosure to the "wrong person". (Posted 6/19/03)
As a health care provider, what do we do if a patient refuses to
sign any HIPAA forms of consent or authorization? Can we still treat the
patient and what are our boundaries?
HIPAA is concerned with the disclosure of protected health information, thus such information may not be disclosed without the authorization of the patient. If the patient refuses to sign this authorization, in most cases, treatment cannot be withheld.
The consent provision was taken out of HIPAA. The consent for treatment is voluntary under HIPAA privacy guidelines. According to the Guidance, “covered entities that institute consents for treatment have complete discretion to design a process that suits their needs”. You could withhold treatment without the signed consent for treatment if you so choose. It is important to document in all cases when this occurs in case of any disputes that may result. (Posted 6/19/03)
Are old records that have been copied and sent from other providers
considered a part of our medical record? When complying with a request for
records, are we allowed to also copy those other records or not? It would
seem that once we receive them and they are a part of our chart, then they
become "our" records and should be included when records are requested.
There is a great deal of confusion regarding this issue.
It actually goes to the state level in some cases to be decided. I am not familiar with your state's laws and I would check the pre-emption language (state more stringent than HIPAA) regarding this. Absent that, I would contact legal counsel for an opinion. We cannot and will not offer legal opinions.
I can tell you, however, that the majority of the providers that I personally have talked to are including records that were received for the direct treatment of a patient to be a part of the patient's medical record. Once again, this is not a legal opinion. You must be comfortable in defending any decision you make in this regard. Please ask legal counsel. (Posted 6/19/03)
I work in an acute care facility and would like to know if it is a
HIPAA violation to allow allergy stickers to be placed on the front of
inpatient binders. Some of the stickers list the specific allergens and
some simply alert the physician to the existence of an allergy. The
patient's name is on the spine of the binder. I do have some physicians
complaining about this practice as well. They prefer that the name be
placed on the front of the binder with allergy stickers. What is allowed
under HIPAA for both of these situations? What about other condition alert
stickers, such as....diabetes, transplant status, etc.?
The reasonable protection of confidential patient information is the key to HIPAA compliance. If the chart is properly secured, the stickers are not an issue. (Posted 6/12/03)
I'm the Advisor for a hospital sponsored organization, Senior
Friends. Senior Friends is a national organization sponsored by Hospital
Corporation of America with our local chapter being sponsored by our local
Medical Center. Senior Friends and the hospital has sponsored health fairs
in the past, such as stroke screenings, blood pressure, etc. and have
considered even lipid screens (blood tests). Our concern is that under the
new regulations, are we responsible for maintaining medical records for
people who might attend a health fair or expo where screenings are set up
or if we have simple blood pressure checks in our office? Health Fairs are
currently on hold throughout our facilities until we have clear
instruction as to how HIPAA regulations relate to these events.
OCR has yet to address this issue through any type of guidance as of this writing. They are aware of the many questions about the health fair events and the potential HIPAA impacts.
One further question would be on the route you take when "sub-optimal" results are reported back to the patient. Is any record of that kept by your organization? If so, you would most likely be impacted by HIPAA privacy. (Posted 6/12/03)
Please define what constitutes a "public" workstation. I work in an accounting office for a national dialysis clinic. Our Accounts Receivable Department handles the accounts for over 250 dialysis clinics located throughout the United States. The general public, including patients, do not have access to our office. We deal strictly with the clinics themselves and this is done by the computer, fax, snail mail and phone. The only people present in our work area are our employees all of whom have signed a confidentiality oath.
Thank you for clarifying this term...."public" workstation for me
and my co-workers.
If each employee in the clinic has the same access rights (and they probably should not), then there probably would not be a large issue. The issue, however, is with different employees needing different levels of access to do their jobs and workstations being left unsecured. If person A, for example, is a billing person and leaves his/her workstation with a screen visible, and person B can walk up and see information he should not see, this could be considered to be a breach of privacy.
The key is securing workstations by logging off after non-use, logging off when leaving the workstation, and not keeping screens in general view of those who don’t need the information to do their jobs. (Posted 6/12/03)
My question concerns radio transmissions between ambulance corps,
police dispatch and the hospital. Since many people have scanners, is it
still acceptable for the police dispatch to give the nature of the call
and the call location over the radio? And can the ambulance crew relay
this information and patient condition to the hospital over the radio?
Answer: No, the Privacy Rule does not require these types of structural changes be made to facilities.
Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.
For example, the Privacy Rule does not require the following types of structural or systems changes:
Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.
The key is reasonability. If you are making every effort in this case, you should be in compliance. (Posted 6/12/03)
I work in the health insurance industry and a recent article in the
Dallas Newspaper caught my attention. Per the article, churches and other
religious organizations are bound by HIPAA. This goes against what I
knew/understood to be the case. Can you confirm my understanding or
elaborate on the limitations placed on Churches in regards to
announcing/praying for the sick?
Nothing legislatively covers the clergy member from going back to the pulpit and making the announcement that you are in the hospital. Many facilities, however, are training clergy members in the ways of privacy. They are letting the clergy know that some patients want their privacy and don't want the church to know. This is more of an ethical issue that many clergy are reacting positively to. (Posted 6/12/03)
Is it a violation of HIPAA for a doctors office to leave a message
on a patients home answering machine confirming an doctors appointment and
also stating the nature of the visit? My doctor left a message confirming
an appointment for an exam and the message was played back by my parents
since I wasn't home yet. Is this a violation of my privacy?
Q: May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?
A: Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).
So, unless you have specifically requested that confidential communications be used, the provider did not violate your privacy in this instance. (Posted 6/5/03)
Please let me know if a case number from IP is considered PHI alone
or does it need to be attached to a member name, DOB or something else
before it would be password protected.
I recently went to a doctors office to get some personal tests run... I was very adamant and concise about how they were to contact me... no phone calls to my office or my home...none...I clearly stated, not only verbally but on my admissions, that they were to contact me via email only...
Then they called me at my office telling the receptionist that MY DOCTOR called and wanted me to call back...
I work in a small office that has my MD's as clients but I purposely chose an outside MD for privacy issues...as you may well know small offices tend to gossip and enjoy other people's business...
First of all...no call should have been made, but if a call must be made they should not have stated they are MY DOCTOR...just hang up and call back...
What are the regs on this?
I am a consultant to Long Term Care Facilities. I have a question
about the accounting of disclosure to state agencies. I believe the state
surveyors can access the records and we do not have to log their review of
the records in the accounting of disclosure because this is part of health
care operations. My question is, does this apply to the nurse who
investigates complaints of abuse and neglect? This is not the usual health
care operation and would fall under public health authority or health
oversight and should be logged.
I work in an ambulatory surgery center. When we call our patients
for follow-up after their surgery, is it acceptable to leave more
information than just our facility name and nurse’s name with a request to
call us back? Our patients get confused about who is calling, and why,
even though we inform them before discharge that a nurse will be calling
to check up on them. If we have this information in writing on the
discharge instructions, and the responsible party signs the instructions,
are we covered under HIPAA? Specifically, is it alright to say that we are
calling to check up on the patient if we get an answering machine?
In our waiting room we have a bulletin board that parents place
their children's pictures on. There are no names given on the board. Is
this in HIPAA compliance or not?
I am a police officer for a medium sized municipality and I am
wondering about our status under the HIPAA regulations. As a first
responder to violent crimes, all severity's of vehicle crashes and other
related items I was wondering if as a part of our investigation of crime
are we allowed to collect basic medical information from EMS providers to
investigate a crime. For example a colleague of mine responded to a hit
skip vehicle crash where a pedestrian was struck by a car that fled the
scene and our local fire department paramedic squad also responded to the
scene. As a part of his investigation the police officer asked the
paramedics the victims severity of injuries, which is required information
on the traffic crash report and for any criminal investigation that would
follow. He was told by the paramedics that they would be in violation of
HIPAA to divulge any information on the victim. I found this to be
incredibly ridiculous as the information that the officer was asking did
not concern any of the victims medical history or treatment being received
but important information that would be needed to solve a crime. Are the
paramedics in my city right in their interpretation of the HIPAA standards
and regulations or are we, as first responders to scenes, entitled to
receive the basic information for protection of the victims rights and to
solve crimes? What information are we allowed to expect to receive from
EMS units that respond to crime and vehicle crash scenes?
Would you have an example of a Disclosure Log?
I work in a Doctor's office. If a patient wants to change their
primary doctor to the doctor I work for I send a signed consent for
release. What has to be done on this form to be HIPAA compliant?
The surgeon and ambulatory surgical center for whom I work are
affiliated entities by ownership, etc and we have declared as such. They
are two separate corporations each with their own tax id numbers.
Therefore, we have one privacy notice for both entities. We are only
filing the notice of receipt in the physicians chart. I am wondering if I
need to file a photocopy in the surgery center chart of the mutual
I work for an audiology-based company. We provide our patients with hearing healthcare such as earwax removal, hearing evaluations, and hearing aids. When a hearing aid is sent out for repair, the patient's name is on the repair form and the manufacturer knows the patient's hearing loss, etc. This is considered PHI. Because we are a busy office, we ask all patient's when they come in to sign our Authorization to Disclose/Use form. I have two questions.
1. If a patient does not sign this authorization form, can we still see them and can we still treat them with hearing healthcare such as sending an aid out for repair?
2. At fairs, we bring out portable video otoscope which allows
people to see the inside of their ears. This is done in front of people
passing by. Is this ok? Do we need them to sign a form? Or is verbal
consent good enough?
I am a dentist. If I refer a patient to a specialist, do I need a
"Business Associate Agreement" with that specialist to receive a report
regarding the treatment or a copy of the treatment radiograph for the
Is there a certain format in terms of font, point size, etc for the
patient privacy notice?
What do we need to show as proof of compliance? Is there a form and
who do we send it to?
If a patient or his/her representative feels that their privacy has been compromised, they will file a complaint with the Office of Civil Rights, which may initiate an investigation into your covered entity's HIPAA compliance. (Posted 5/15/03)
I am a premedical student at Cornell University, in my junior year of undergrad studies. I've been trying to arrange a shadowing (internship) with some local doctors, but they hesitate to take me on due to HIPAA's new regulations.
Do the new regulations restrict premedical (undergraduate) students
like myself from shadowing/interning with doctors? While I definitely
appreciate patient privacy concerns, how are we to gain experience in the
medical field while complying with HIPAA's regulations?
I am looking for information on the HIPPA guidelines pertaining to
mental health providers. Do you have a booklet we can obtain?
Generally, psychotherapy notes are given special protections, as long as they are not part of the employee's general medical record.
This is an area that is a little more complicated than the general HIPAA guidelines. There are many things to look at, including any notices of Privacy Practices, billing concerns, etc. (Posted 5/15/03)
I am a dental consultant located in the Denver area and am trying to
find out if it is permissible for the dental office to post their daily
schedule of patients by name only in the treatment areas, or would this be
a HIPAA violation? Rationale: If a patient sign-in sheet is permissible at
the reception area then it seems as if a daily schedule should be
permissible to post as long as no medical information is on it.
I would like to know about the HIPPA requirements for patient
charts. Can you have the patients name on the front of the chart?
I am looking for specific examples of sanctions that would apply for
violations from business associates or employees as it pertains to PHI. In
the Privacy Manual it states that you need to have a set of guidelines in
place for sanctions placed on non-compliance or violations.
As far as the Human Resources Sanction policies, it will vary on the types of disclosures and the disciplinary (sanctions) that will be taken against an employee. Many covered entities have, in their employee handbooks, a section about confidentiality, including examples of the types of data which is to be confidential, the access to particular data on a "need to know" basis, etc. Examples of violations might include accessing patient records not needed to do a person's job (i.e. looking up the medical records of a celebrity), talking with others who don't need to know, about a patient's case or care, etc.
Disciplinary action statements often include verbiage like "we will discipline violations up to and including immediate termination", or a like statement. If you have an existing disciplinary policy, it is often the case where HIPAA language is "baked into" the existing policy. (Posted 5/15/03)
I am an architect working on a renovation for a Massachusetts
hospital. Part of the project involves a new reception area with two
patient interview stations. Each station will have a counter and two
side-walls that extend to six feet high. Can these sidewalls contain
glass? The patients would be able to see each other, but not hear each
You should tell the staff at the hospital to monitor other patients who might be trying to look over or through the glass and to make every effort to protect against this type of incidental disclosure. (Posted 5/15/03)
Our local news paper insists that we release the following information for the news paper report:
Patient Name, Point of pickup, Point of drop off, Reason for pick up, Date
I feel this must be in violation of HIPAA regulations, I am having
trouble locating a document that will clearly state this is not acceptable
practice. Is this against HIPAA regulations?
Release of information to outside sources, including media, has always been an option for healthcare providers. For that reason, I am unclear about the question's reference to "insistence".
As far as HIPAA regulations, the patient has the option, as should be stated in your organization's Notice of Privacy Practices document, to opt out of having their Protected Health Information released to the media. Ultimately, the HIPAA regulations give the patient more control over their own Protected Health Information. (Posted 5/15/03)
For years we have taken a polaroid photo of children who do not have
cavities after a hygiene appointment for display on our "No Cavity Club"
board. Their name and the date of the exam are at the bottom of the photo.
Is this an unacceptable practice according to HIPAA guidelines?
The fact is, however, that the publishing (posting, in this case) of identifiable patient information, in this case a photo with a name and a date of service, requires an authorization from the patient. If the patient is a minor (in this case), the parent must give authorization. (Posted 5/15/03)
I would like to know how the new HIPAA standards relate to medical
messaging services. We have been asked to swap confidentiality agreements
with several of our medical accounts. Is there more we should be doing to
be in compliance?
1. Does the acknowledgement need to be signed on a yearly basis or just one time?
2. We are almost a paperless office. Do you have any suggestions or
resources for us as to how to track which patients have filled out the
form or who still needs to? We don't pull a chart for every patient at
My suggestion for you in regards to tracking is to have this tied into your registration system. So that even if a chart is not pulled the acknowledgement of the NPP will be realized. (Posted 5/15/03)
1. Do we have to have a separate medical records release other than the one on the patient information sheet that states we can release records to the insurance co or other healthcare provider? It seems like we only need a separate one if the patient wants a copy of their record.
2. We are doing a training session next week and I want to be sure
we cover the main points of HIPAA privacy (I know we will have time to go
over the little things later). We will discuss patient reminders, charts
being turned around in the exam room doors, talking quietly when
referencing other patients, and of course the privacy contract itself. Are
we leaving out any major points?
In most states Rx bottles with patient information on its label are
dumped into the trash. What procedure does the HIPAA regulations expect a
drugstore to follow with regards to this practice?
How are you recommending we handle disposal of IV bags, etc that
have labels on them containing PHI? Is it acceptable to throw them in the
regular trash cans with regular trash? Or would this place the hospital at
risk for not handling it properly?
If you use unidose medication systems, the same should be done with those labels. (Posted 5/15/03)
In our dental office the reception desk is open to the waiting area.
One of the front desk person's duties is making referral calls to
specialists (oral surgeons, endodontists, periodontists.) Will these phone
calls be considered a violation of the Privacy Rule if it is possible for
her end of the calls to be overheard by other patients in the waiting
HIPAA does not expect that information will not be overheard but does expect reasonable efforts to prevent this type of privacy breach. There are several ways to avoid this issue. Televisions, radios, or piped in music can supply enough noise to distract from these conversations. The receptionist can also turn her face away from the waiting area which muffles the conversation. Phone sets help with these conversations as well. And finally a barrier such as a window or screen will also contain the conversations.
It is wise to make reasonable attempts to keep overheard conversations to a minimum. (Posted 5/15/03)
We are a medium sized general dental practice with approximately
2800 patient records. What is our requirement to safeguard the patient
charts. Do they need to be locked within a filing cabinet or can they
remain in our existing open chart shelves as long a physical barriers such
as doors can be locked? Do we have purchase new filing cabinets which can
In your case, if you have existing physical barriers, such as a locking door, or a closed off area that can be secured from unauthorized entry, then that seems to be a "reasonable effort". Just make sure that when you look at the area, determine if there are other means into the room besides the door.
Examples would be: windows that are not or can't be locked, drop ceilings tiles, multiple access points (entry ways) from other rooms.
Also, the privacy and security regulations should be looked at as a minimum or baseline level of security that you could always augment to, at sometime, to ensure another layer of security. Could you add that extra layer of security by buying locking cabinets? Yes, you could and then you have made a very strong "good faith" effort to ensure the PHI is secure. But again, keep in mind this is going a step beyond a baseline level of security.
So, in summary, assess your file room for the above mentioned access points, and determine if it can be secured thru a single or multiple methods. If it can, then you have made a "reasonable" effort. But, if you would choose to add another layer, such as the cabinets, you could do that as well. (Posted 5/15/03)
I need further clarification regarding privacy curtains. I work for
a pediatric dentist who has chairs in an open bay area. Is he required by
HIPAA to put up privacy curtains for treating children or does HIPAA make
an exception for pediatrics?
However, if the set up of the room consistently allows open observation of other patients, then as a privacy concern, shouldn’t this be controlled by curtains or movable barriers such as walls or panels?
Anything you can do to provide privacy should be encouraged and implemented. (Posted 5/15/03)
I work for a neurology practice and have questions regarding
patient's confidentiality. This office uses a sign in sheet that stays at
the front desk. If the sign in sheet is left out where everyone can see
it, does this mean that we are violating patient confidentiality?? Also
when calling patient's back, we do not believe in calling patient's by a
1st name basis, does calling the patient back using either first or last
name violate their rights??? Is it best to use a number system even though
this is not personable????
Items to consider are:
How much information is requested on your sign in sheets?
What is the use of the sign in sheet, to keep track of patients, check times in and out? Then possibly a single piece of paper for each patient, with patient information transferred onto a master sheet during the day?
Calling names of patients is acceptable, using either first or last name. Some clinics or hospitals have gone to number systems, but how you give out information is the important thing.
At a STD clinic, you wouldn't want to announce, Joe Smith for his HIV test... But for your neurology practice, either name is acceptable. (Posted 5/15/03)
I am looking for information on storing and destroying files under the HIPAA guidelines. Specifically,
1. Before shredding or burning documents what is the documentation process?
2. Also, where can I get a copy of the HIPAA rules and regulations.?
3. What are the guidelines for storage of old x-ray and other imaging
Some states require certain files to be kept for a longer period of time, and then you would follow those guidelines. HIPAA states that you will keep some information for 6 years, but it depends on the paper or electronic information. Destruction usually follows what your working arrangement with your recycle company or whomever destroys the information and they should give you a statement or certificate of destruction. Also, you will want some type of confidentiality agreement in the contract, that their employees will be careful of your information and it will be destroyed properly and in a timely manner. Other media, such as computer disks, x-ray, etc, can be destroyed when no longer needed. Storage will depend on state law and your own rules, besides treating it as patient health information (paper, x-rays, all of those kind of items) must be treated the same for confidentiality, storage and disposal.
Here is the location for Administrative Simplification and then obtaining the HIPAA rules: http://aspe.os.dhhs.gov/admnsimp/ (Posted 5/15/03)
Can we have a copy of today schedule up where the patients might see
it if it only contains the patients names not the treatment or reason for
I am the office manager for 3 Family Nurse Practioners, my question
relates to the postcards we send out to remind patients to schedule
appointments. Can they be open or do they need to be a folded over type?
As a Family Nurse Practitioner and in the area of reminding people to schedule appointments, I feel this is a very small risk and would use either the postcard or a fold-over postcard. Keep in mind that if you are reminding individuals to come in for an appointment for specific aliments, then I would ere on the side of privacy. Also, if the cost difference were small between an open postcard and a fold-over postcard, I would opt for a fold-over one. (Posted 5/15/03)
WHAT SHOULD BE INCLUDED WHEN A FAX IS GOING TO AN INSURANCE COMPANY
OR A DOCTORS OFFICE REGARDING A PATIENT? WHAT KIND OF CONSENT FORMS NEED
TO BE SIGNED BY THE PATIENT WHEN THEY COME IN? IS THERE SOME KIND OF
STRAIGHT FORWARD LIST OF THE GUIDELINES AVAILABLE?
Try to limit any disclosures by sending any patient health information to a known location. The person sending the PHI should know where it is going and that someone is available to secure that information by directly receiving it or it is in an area away from public access and viewing. (Posted 5/15/03)
Recently, we received a request from a nationwide workers comp
administrator trying to determine if a patient had any medical records in
existence in our clinic. Our response was that we are HIPAA compliant and
that we would need the patient's written authorization to consider their
request. The administrator's customer service rep. indicated that workers
comp is exempt from that rule. Is this true?
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except that they may otherwise be covered entities. According to the Privacy Rule, these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. This healthcare information is normally obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule addresses the need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways.
Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:
As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.
To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
Disclosures With Individual Authorization. In addition, covered entities may disclose protected health information to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has provided his or her authorization for the release of the information to the entity. The authorization must contain the elements and otherwise meet the requirements specified at 45 CFR 164.508.
Minimum Necessary. Covered entities are required reasonably to limit the amount of protected health information disclosed under 45 CFR 164.512(l) to the minimum necessary to accomplish the workers’ compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law.
In addition, covered entities are required reasonably to limit the amount of protected health information disclosed for payment purposes to the minimum necessary. Covered entities are permitted to disclose the amount and types of protected health information that are necessary to obtain payment for health care provided to an injured or ill worker.
Where a covered entity routinely makes disclosures for workers’ compensation purposes under 45 CFR 164.512(l) or for payment purposes, the covered entity may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of protected health information to be disclosed for such purposes.
Where protected health information is requested by a State workers’ compensation or other public official, covered entities are permitted to reasonably rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).
Covered entities are not required to make a minimum necessary determination when disclosing protected health information as required by State or other law, or pursuant to the individual’s authorization. See 45 CFR 164.502(b). (Posted 5/15/03)
I am the new Privacy Officer for our Ophthamology practice. Our
question is from our billing office. Most of our patients are elderly and
have family members taking care of their finances. Is it safe to assume we
can disclose the information given we use our identifiers?
There are varying opinions on your question. My answer should not be construed as a legal opinion. We are not giving a legal opinion in this matter.
My feeling is that your situation would dictate the receipt of an authorization from the patient to allow “family and friends” to participate in the patient’s care and the handling of his or her affairs. Unless the patient has been deemed to be incompetent, an authorization should be given by the patient. (Posted 5/15/03)
I work in a health care environment and our employer educated us well on the the new HIPAA rules that went into effect a few weeks ago, but one thing I don't understand is why the Pastor of our church would tell the congregation that it will no longer be able to continue a prayer chain for those in need of healing or post names of those ill or hospitalized in our newsletter to be prayed for? I understand that Pastor can not call the hospital and request names or information about members but if a member is in the hospital and would like the congregation to pray for them why can't their name be mentioned during the service or printed in the bulletin to be prayed for?
Is someone over re-acting? Or is there a rule that states this can
Understandably, people want to know when people are ill, hospitalized,
etc. It’s always a good practice to ask a patient or his/her family if
they would mind if an announcement is made or if they are added to the
prayer chain. (Posted 5/15/03)