HIPAA: Answers to Your Frequently Asked Questions

 

Does your organization interpret HIPAA too strictly, too loosely, or just right? Find out with these FAQs.

Fam Pract Manag. 2018 Mar-Apr;25(2):12-16.

Author disclosure: no relevant financial affiliations disclosed.

Since its inception more than 20 years ago, the Health Insurance Portability and Accountability Act (HIPAA) has seemed to elicit more questions than answers. When HIPAA's privacy rule was initially proposed in 1999, the U.S. Department of Health & Human Services (HHS) received more than 52,000 public comments and questions about it, and there was “substantial confusion and misunderstanding” about how the rule would operate and “great concern” over its complexity.1 Over the years, HHS has offered further guidance on both the privacy and security rules, yet many questions, myths, and misinterpretations remain. This article answers some frequently asked questions to help you be better informed.

KEY POINTS

  • Although HIPAA has existed for more than 20 years, medical practices and other health care organizations still struggle to interpret the law correctly due to its complexity.

  • Some organizations are overly strict in their interpretation of HIPAA and prohibit the use of sign-in sheets or phone messages.

  • Other organizations are too loose in their interpretation of HIPAA and have never conducted the required security risk assessment.

PATIENT PRIVACY

Q: Does HIPAA prohibit the use of sign-in sheets?

A: Your practice can use sign-in sheets as long as the information collected is appropriately limited. For example, sign-in sheets can include the patient name, check-in time, and provider name if necessary but should omit medical information such as the reason for the visit. This reduces incidental disclosure of patients' health information to others.2

Q: Can I leave messages about a patient's care via voicemail or with family members?

A: When leaving a message, you must reasonably safeguard information, for example, by disclosing the minimum information necessary in the message or verifying the identity of the person receiving the information.2,3,4 The HHS Office for Civil Rights (OCR) suggests leaving only the provider's name and number and asking the patient to call back, in order to reasonably protect information being left in a voice-mail. You can talk with family members or even close personal friends of the patient to the extent these individuals are involved in the patient's care or payment for care as long as the patient has had an opportunity to agree or object.5 A patient's verbal permission for you to speak with his or her spouse, parent, or child is sufficient; a formal authorization form is not required.

Q: Can I discuss patients' care at a nursing station or other location where the conversation may be overheard?

A: You and your staff can discuss patients' care, even if there is a possibility the conversation may be overheard, if you take reasonable safeguards to prevent unnecessary disclosures.2,3 For example, coordinating care at the nursing

ABOUT THE AUTHOR

Richelle Marting is an attorney practicing with Forbes Law Group in Overland Park, Kan., where she focuses on regulatory compliance and health care reimbursement.

Author disclosure: no relevant financial affiliations disclosed.

References

show all references

1. U.S. Department of Health and Human Services. Standards for privacy of individually identifiable health information. Fed Regist. 2002;67(157):53182. Codified at 45 CFR §160 and §164....

2. Office for Civil Rights. HIPAA FAQs for professionals. U.S. Department of Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/faq/. Updated October 12, 2017. Accessed February 2, 2018.

3. U.S. Department of Health and Human Services. Uses and disclosures of protected health information: general rules. 45 CFR. §164.502.

4. U.S. Department of Health and Human Services. Other requirements relating to uses and disclosures of protected health information. 45 CFR. §164.514(h).

5. U.S. Department of Health and Human Services. Uses and disclosures requiring an opportunity for the individual to agree or to object. 45 CFR. §164.510(b)(1)(i).

6. U.S. Department of Health and Human Services. Access of individuals to protected health information. 45 CFR. §164.524(c)(4).

7. Health Information Privacy Division. Individuals' right under HIPAA to access their health information. U.S. Department of Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. February 25, 2016. Accessed February 2, 2018.

8. U.S. Department of Health and Human Services. Accounting of disclosures of protected health information. 45 CFR. §164.528(a).

9. U.S. Department of Health and Human Services. Definitions. 45 CFR. §160.103.

10. U.S. Department of Health and Human Services. HIPAA privacy rule accounting of disclosures under the Health Information Technology for Economic and Clinical Health Act. Fed Regist. 2011;76(104):31426, 31430. Codified at 45 CFR §164.

11. U.S. Department of Health and Human Services. Rights to request privacy protection for protected health information. 45 CFR. §164.522(a) (1)(vi).

12. U.S. Department of Health and Human Services. Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules. Fed Regist. 2013;78(17):5566, 5588, 5626, 5627, 5634. Codified at 45 CFR §160 and §164.

13. Centers for Medicare & Medicaid Services. Medicare Benefit Policy Manual, 100-02, Chapter 15, Section 40. https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/bp102c15.pdf. July 11, 2017. Accessed February 2, 2018.

14. U.S. Department of Health and Human Services. Administrative safeguards. 45 CFR. §164.308(a)(1)(ii)(A).

15. Office for Civil Rights. Guidance on risk analysis requirements under the HIPAA security rule. U.S. Department of Health and Human Services website. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. July 14, 2010. Accessed February 2, 2018.

16. U.S. Department of Health and Human Services. Technical safeguards. 45 CFR. §164.312(a)(1), (c)(1), (e)(1).

17. Office for Civil Rights. Fact sheet: Ransomware and HIPAA. U.S. Department of Health and Human Services website. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. July 11, 2016. Accessed February 2, 2018.

18. U.S. Department of Health and Human Services. Definitions. 45 CFR. §164.402.

19. U.S. Department of Health and Human Services. Modifications to the HIPAA privacy, security, and enforcement rules under the Health Information Technology for Economic and Clinical Health Act. Fed Regist. 2010;75(134):40868, 40874. Codified at 45 CFR §160 and §164.

 
 

Copyright © 2018 by the American Academy of Family Physicians.
This content is owned by the AAFP. A person viewing it online may make one printout of the material and may use that printout only for his or her personal, non-commercial reference. This material may not otherwise be downloaded, copied, printed, stored, transmitted or reproduced in any medium, whether now known or later invented, except as authorized in writing by the AAFP. Contact fpmserv@aafp.org for copyright questions and/or permission requests.

Want to use this article elsewhere? Get Permissions

CME Quiz

MOST RECENT ISSUE


Sep-Oct 2018

Access the latest issue
of FPM journal

Read the Issue


FPM E-Newsletter

Sign up to receive FPM's free, weekly e-newsletter, "Quick Tips & Insights."

Sign Up Now