Three myths about HIPAA

Although HIPAA has existed for more than 20 years, many organizations still struggle to interpret the law correctly. When their interpretations are too strict, it can make physician and staff jobs harder than they need to be.

Here are three common myths about HIPAA.

Myth 1: HIPAA prohibits the use of sign-in sheets.

Fact: Your practice can use sign-in sheets as long as the information collected is appropriately limited. For example, sign-in sheets can include the patient name, check-in time, and provider name if necessary but should omit medical information such as the reason for the visit. This reduces incidental disclosure of patients’ health information to others.

Myth 2: HIPAA requires you to obtain written authorization from the patient before speaking with family members.

Fact: You can talk with family members or even close personal friends of the patient to the extent these individuals are involved in the patient’s care or payment for care as long as the patient has had an opportunity to agree or object. A patient’s verbal permission for you to speak with his or her spouse, parent, or child is sufficient; a formal authorization form is not required.

Myth 3: HIPAA prohibits email communication with patients about clinical matters.

Fact: You can send protected health information by email, but you must implement safeguards under the security rule to ensure the information is secure, accessed only by authorized individuals, and not altered, edited, or deleted. The best way to do this is to encrypt your emails; however, patients have the right to request access to their own information via unencrypted email. You may send patient information by unencrypted email if you have advised the patient of the risks and the patient still prefers unencrypted email.

Read more myths and facts in the full FPM article: “HIPAA: Answers to Your Frequently Asked Questions.”