HIPAA Privacy FAQ’s

What is the HIPAA privacy regulation?

Until Congress passed HIPAA in 1996, personal health information (PHI) was protected by a patchwork of federal and state laws. Patients’ health information could be distributed without their consent for reasons having nothing to do with their medical treatment or health care reimbursement. The HIPAA regulation provides the first comprehensive federal protection for the privacy of individually identifiable health information (IIHI). The regulation increases consumer control over the use and disclosure of their medical information. It also establishes appropriate safeguards that must be followed to protect the privacy of patients’ health information.

What does the HIPAA Privacy Rule do?

  • It gives patients more control over their health information.
  • It sets boundaries on the use and release of health records.
  • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
  • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
  • It strikes a balance when public responsibility supports disclosure of some forms of data. For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how PHI may be used.
  • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
  • It generally limits release of information to the minimum reasonable needed for the purpose of disclosure.
  • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
  • It empowers individuals to control certain uses and disclosures of their health information.

Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

  • Notifying patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for its practice, hospital, or plan.
  • Training employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Who must comply with these new HIPAA privacy standards?

  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002?

Based on the information received through public comments, testimony at public hearings, meetings at the request of industry and other stakeholders, as well as other communications, HHS identified a number of areas in which the Privacy Rule, as issued in December 2000, would have had potential unintended effects on health care quality or access. As a result, HHS proposed modifications that would maintain strong protections for the privacy of individually identifiable health information, address the unintended negative effects of the Privacy Rule on health care quality or access to the health care, and relieve unintended administrative burdens created by the Privacy Rule.

Final modifications to the Rule were adopted on August 14, 2002. Among other things, the modifications addressed the following aspects of the Privacy Rule:

  • Uses and disclosures for treatment, payment and health care operations, including eliminating the requirement for the individual’s consent for these activities;
  • The notice of privacy practices that covered entities must provide to patients;
  • Uses and disclosures for marketing purposes;
  • Minimum necessary uses and disclosures;
  • Parents as the personal representative of un-emancipated minors;
  • Uses and disclosures for research purposes;
  • Transition provisions, including business associate contracts. In addition to these key areas, the modifications included changes to certain other provisions where necessary to clarify the Privacy Rule, and a list of technical corrections intended as editorial or typographical corrections to the Privacy Rule.

For more information about the final modifications to the Privacy Rule, see the Fact Sheet entitled, Modifications to the Standards for Privacy of Individually Identifiable Health Information – Final Rule. This Fact sheet can be found at www.hhs.gov

Why was the consent requirement eliminated from the HIPAA Privacy Rule, and how will it affect individuals’ privacy protections?

The consent requirement created the unintended effect of preventing health care providers from providing timely, quality health care to individuals in a variety of circumstances. The most troubling and pervasive problem was that health care providers would not have been able to use or disclose PHI for treatment, payment, or health care operations purposes prior to the initial face-to-face encounter with the patient, which is routinely done to provide timely access to quality health care.

To eliminate such barriers to health care, mandatory consent was replaced with the voluntary consent provision that permits health care providers to obtain consent for treatment, payment and health care operations, at their option, and enables them to obtain consent in a manner that does not disrupt needed treatment. Although consent is no longer mandatory, the Rule still affords individuals the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded. These modifications will ensure that the Rule protects patient privacy as intended without harming consumers’ access to care or the quality of that care. Further, the individual’s right to request restrictions on the use or disclosure of his or her PHI is retained in the Rule as modified.

What if I don’t comply with the regulation?

The government can impose civil penalties for noncompliance ranging from $100 to $250,000 and, in extreme cases, criminal penalties and imprisonment.

Can’t I just follow state laws regarding physician-patient confidentiality?

No. The HIPAA privacy rule is much more formal than the patient confidentiality laws physicians traditionally adhered to. State law should only be followed when it is more stringent than federal law.

What information is protected?

HIPAA defines PHI as individually identifiable health information held or disclosed by a covered entity. PHI is widely inclusive. It can include a patient’s name, Social Security number or medical record number; specific dates such as birth, admission, discharge or death; or any other information that may be used to identify a patient. This may include information about past, present or future physical or mental condition, the provision of health care to an individual, or the past, present or future payment for the provision of health care. Simply removing the patient’s name is not enough to protect the information, and “de-identification” is an onerous task that most physician practices will not undertake.

Do I only have to protect the PHI that is transmitted electronically?

No. If you are a covered entity (CE), all uses and disclosures of PHI are regulated. You must institute safeguards to protect PHI whether you disclose it verbally, in writing or electronically. The good news is that under the final rule, you do not need the patient’s consent for most routine uses or disclosures of PHI related to treatment, payment and health care operations (TPO). Health care operations include but are not limited to fundraising activities; quality assessment and improvement activities; insurance activities; business planning, development and management activities, licensing and audits; evaluating health care professionals and plans; and training health care professionals.

What are the basic rules on disclosure of PHI?

The rules regarding the use of PHI pertain to disclosures as well. Essentially, your practice may use and disclose PHI for your own TPO activities. The regulation also requires that you put in place policies regarding use and disclosure.

What kinds of safeguards are required?

You must establish appropriate administrative, technical and physical safeguards to protect PHI in your practice from intentional or unintentional disclosure. For example, the regulation requires you to limit access to PHI but provides you with enough flexibility to determine for yourself who in your office needs access to PHI and how much information they need to do their jobs.

What are a patient’s rights regarding PHI?

Patients have six fundamental rights:

1. The right to receive a notice about your privacy policies.
2. The right to access the medical information you maintain about him or her.
3. The right to limit the uses and disclosures of medical information.
4. The right to request amendments to the medical record.
5. The right to revoke or limit authorization.
6. The right to an accounting of disclosures of PHI.

What should I do to protect the PHI in my office?

Although the privacy regulation gives you some flexibility for determining what is reasonable for protecting PHI in your office, you will be required to do the following:

  • Adopt clear privacy policies and procedures for your practice.
  • Designate someone to be responsible for seeing that the privacy policies and procedures are followed.
  • Train employees so that they understand the privacy policies and procedures.
  • Secure patient records containing PHI so that they are not accessible to those who don’t need them.
  • Provide information to patients about their privacy rights and how their information can be used.

What are some practical first steps?

  • Develop privacy policies and procedures.
  • Identify business associates.
  • Develop a privacy notice.
  • Decide how you will give notice.
  • Determine authorization needs.
  • Decide how you will handle requests for PHI.
  • Develop a system for managing restrictions on PHI.
  • Develop a procedure for logging disclosures.

If I believe that my privacy rights have been violated, when can I submit a complaint?

By law, covered entities have until April 14, 2003 to comply with the Privacy Rule. Small health plans have until April 14, 2004 to comply. Activities occurring before Aril 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions. After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred. The Secretary may waive this 180day time limit if good cause is shown.

In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.

Can a physician’s office fax patient medical information to another physician’s office?

The Privacy Rule permits physicians to disclose PHI to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI that is disclosed using a fax machine.

Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures. Reasonable precautions could include using lowered voices or talking apart from others when sharing PHI. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care.

May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine.

A covered entity may also leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed.

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable.

Can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?

Yes, covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain “incidental disclosures” that occur as a by-product of an otherwise permitted disclosure. However, these “incidental” disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards, and implemented the minimum necessary standard, where appropriate.

Is a covered entity required to prevent any incidental use or disclosure of PHI?

No. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards to limit incidental uses or disclosures.

How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.

The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to PHI without sacrificing the quality of health care.

Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?

Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.

There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.

Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonable believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

How does the HIPAA Privacy Rule change the laws concerning consent for treatment?

The Privacy Rule relates to uses and disclosures of PHI, not to whether a patient consents to the health care itself. As such, the Privacy Rule does not affect informed consent for treatment, which is addressed by State law.

What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of PHI for treatment, payment and health care operations (TPO). Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of PHI not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of PHI unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. An authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the CE may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

Can a pharmacist use PHI to fill a prescription that was telephoned in by a patient’s physician without the patient’s written consent if the patient is a new patient to the pharmacy?

Yes. The pharmacist is using the PHI for treatment purposes, and the HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing PHI about him or her for treatment, payment or health care operations.

Can health care providers, such as a specialist or hospital, to whom a patient is referred for the first time, use PHI to set up appointments or schedule surgery or other procedures without the patient’s consent?

Yes. The HIPAA Privacy Rule does no require covered entities to obtain an individual’s consent prior to using or disclosing PHI about him or her for treatment, payment, or health care operations.

Are health care providers restricted from consulting with other providers about a patient’s condition without the patient’s written authorization?

No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose PHI about an individual to a health care provider for that provider’s treatment of the individual.