|
Where can I get a copy of the HIPAA Privacy Rule?
Operating Procedures:
If my patient wants a copy of his medical records,
can I charge the patient for it under the Privacy Rule?
If my office has a patient's medical record and another doctor
created certain parts of that record, does the Privacy Rule allow
me to disclose the complete medical record?
Can I fax patient medical information to another doctor’s
office?
Can I use patient sign-in sheets or call out the
names of patients in the waiting room?
Our clinic customarily places patient charts in the
plastic box outside an exam room. We do not want the record
left unattended with the patient, and the doctors want the record
close by for fast review right before they walk into the exam room.
Does the Privacy Rule allow the clinic to continue this practice?
Our hospital customarily displays patients’ names
next to the door of the hospital rooms that they occupy. Does
the Privacy Rule allow us to continue this practice?
Is our hospital able to tell clergy about parishioners
in the hospital?
How does the Rule apply to professional liability
insurance? Specifically, how can professional liability insurers
continue to arrange for and maintain medical liability insurance
for health care providers covered by the Rule?
Does the Privacy Rule permit covered entities or
their collection agencies to obtain payment from parties other
than the patient, e.g., from spouses or guardians?
Business Associates:
Is a doctor or other provider going to be considered
a business associate of a health plan or other payer?
Do hospitals or other covered entities need to monitor
their business associates?
Am I required to have business associate contracts
with technicians such as plumbers, electricians, or photocopy
machine repairmen who provide repair services?
Are janitorial services business associates?
Are the following entities considered “business
associates” under the Privacy Rule: U.S. Postal Service,
United Parcel Service, delivery truck line employees and/or their
management?
Are state, county, or local health departments required
to comply with the Privacy Rule?
Miscellaneous:
Are the following types of insurance covered
under HIPAA: long/short term disability; workers compensation; automobile
liability that includes coverage for medical payments?
Is an entity that is acting as a third party administrator
to a group health plan a covered entity?
The Social Security Administration collects medical
records for the Social Security Income disability program. Is
Social Security Administration a covered entity (e.g., a health
plan)?
Is the Privacy Rule compliance date delayed by
the Administrative Simplification Compliance Act that was enacted
in December 2001?
HIPAA allows “small health plans,” defined
as health plans having annual receipts of $5 million or less,
an additional year (in the case of the Privacy Rule, until April
14, 2004) to come into compliance. How should a health plan determine
what receipts to use to decide whether it qualifies as a “small
health plan?”
_____________________________________________________________________
Where can I get a copy of the HIPAA Privacy Rule?
Response: The Department of Health & Human Services
has released unofficial version of the complete regulation text
of the Privacy Rule as modified at http://www.hhs.gov/ocr/hipaa/whatsnew.html
back to top
If my patient wants a copy of his medical records, can
I charge the patient for it under the Privacy Rule?
Response: Yes. Under the Privacy Rule, you can charge reasonable,
cost-based fees. This can include only the cost of copying (including
supplies and labor) and postage (if the patient requests that the
copy be mailed). If the patient agrees to a summary or explanation
of his or her protected health information, you can also charge
for preparing the summary or explanation. The fee cannot include
costs associated with searching for and retrieving the requested
information. See 45 C.F.R. § 164.524. back to
top
If my office has a patient's medical record and another doctor created
certain parts of that record, does the Privacy Rule allow me to
disclose the complete medical record?
Response: Yes, the Privacy Rule permits you to disclose
a complete medical record including portions that were created by
another provider, assuming that the disclosure is for a purpose
permitted by the Privacy Rule, such as treatment. back
to top
Can I fax patient medical information to another doctor’s office?
Response: Yes, as long as the disclosure is for a purpose
allowed under the Privacy Rule. For example, the Privacy Rule permits
doctors to disclose protected health information to another health
care provider for treatment purposes. This can be done by fax or
by other means. You must have in place reasonable and appropriate
administrative, technical, and physical safeguards to protect the
privacy of protected health information that is disclosed using
a fax machine. Examples of such measures include using a cover sheet,
confirming the fax number to be used, and placing the fax machine
in a secure location to prevent unauthorized access to the information.
See 45 C.F.R. § 164.530(c). back to top
Can I use patient sign-in sheets or call out
the names of patients in the waiting room?
Response: Yes. Covered entities such as doctor’s offices
may use patient sign-in sheets or call out patient names in waiting
rooms, so long as the information disclosed is appropriately limited.
The Privacy Rule explicitly permits certain “incidental disclosures”
that occur as a by-product of an otherwise permitted disclosure
— for example, the disclosure to other patients in a waiting
room of the identity of the person whose name is called. However,
these “incidental” disclosures are permitted only to the
extent that the covered entity has applied reasonable and appropriate
safeguards (45 C.F.R. § 164.530(c)), and implemented the minimum
necessary standard, where appropriate (45 C.F.R. §§ 164.502(b)
and 164.514(d)). For example, the sign-in sheet may not display
medical information that is not necessary for the purpose of signing
in (e.g., the medical problem). For more information, see the preamble
to the final modifications to the Privacy Rule (67 Fed. Reg. 53182,
53193–95 (August 14, 2002)). back to top
Our clinic customarily places patient charts
in the plastic box outside an exam room. We do not want the record
left unattended with the patient, and the doctors want the record
close by for fast review right before they walk into the exam room.
Does the Privacy Rule allow us to continue this practice?
Response: Yes. The Privacy Rule permits this practice as
long as the clinic takes reasonable and appropriate measures to
protect the patient's privacy. The doctor or other health care professionals
use the patient charts for treatment purposes. Incidental disclosures
to others that might occur as a result of the charts being left
in the box are permitted, if the minimum necessary and reasonable
safeguards requirements are met. As the purpose of leaving the chart
in the box is to provide the doctor with access to the medical information
relevant to the examination, the minimum necessary requirement would
be satisfied. Examples of measures that could be reasonable and
appropriate to safeguard the patient chart in such a situation would
be limiting access to certain areas, ensuring that the area is supervised,
escorting non-employees in the area, or placing the patient chart
in the box with the front cover facing the wall rather than having
protected health information about the patient visible to anyone
who walks by. Each covered entity must evaluate what measures are
reasonable and appropriate in its environment. Covered entities
may tailor measures to their particular circumstances. See 45 C.F.R.
§164.530(c).
back to top
Our hospital customarily displays patients’
names next to the door of the hospital rooms that they occupy. Does
the Privacy Rule allow us to continue this practice?
Response: The Privacy Rule explicitly permits certain
incidental disclosures that occur as a by-product of an otherwise
permitted disclosure—for example, the disclosure to other patients
in a waiting room of the identity of the person whose name is called.
In this case, disclosure of patient names by posting on the wall
is permitted by the Privacy Rule, if the use or disclosure is for
treatment (for example, to ensure that patient care is provided
to the correct individual) or health care operations purposes (for
example, as a service for patients and their families). The disclosure
of such information to other persons (such as other visitors) that
will likely also occur due to the posting is an “incidental”
disclosure.
Incidental disclosures are permitted only to the extent that the
covered entity has applied reasonable and appropriate safeguards
(45 C.F.R.§164.530(c)), and implemented the minimum necessary
standard (45 C.F.R. §§164.502(b) and 164.514(d)). In this
case, it would appear that the disclosure of names is the minimum
necessary for the purposes of the permitted uses or disclosures
described above, and there do not appear to be additional safeguards
that would be reasonable to take in these circumstances. However,
each covered entity must evaluate what measures are reasonable and
appropriate in its environment. Covered entities may tailor measures
to their particular circumstances. For more information, see the
preamble to the final modifications to the Privacy Rule (67 Fed.
Reg. 53182, 53193– 95 (August 14, 2002). back
to top
Is our hospital able to tell clergy about parishioners
in the hospital?
Response: Yes. The Privacy Rule allows this communication
to occur, as long as the patient has been informed of this use and
disclosure, and does not object. The Privacy Rule provides that
a hospital or other covered health care provider may maintain in
a directory the following information about that individual: the
individual’s name; location in the facility; health condition
expressed in general terms; and religious affiliation. The facility
may disclose this directory information to members of the clergy.
Thus, for example, a hospital may disclose the names of Methodist
patients to a Methodist minister, unless a patient has restricted
such disclosure. Directory information, except for religious affiliation,
may be disclosed only to other persons who ask for the individual
by name. When, due to emergency circumstances or incapacity, the
patient has not been provided an opportunity to agree or object
to being included in the facility’s directory, these disclosures
may still occur, if such disclosure is consistent with any known
prior expressed preference of the individual and the disclosure
is in the individual’s best interest as determined in the professional
judgment of the provider. See 45 C.F.R. § 164.510(a). back
to top
How does the Rule apply to professional liability
insurance? Specifically, how can professional liability insurers
continue to arrange for and maintain medical liability insurance
for health care providers covered by the Rule?
Response: The Privacy Rule permits a covered health care
provider to disclose information for “health care operations”
purposes, subject to certain requirements. Disclosures by a covered
health care provider to a professional liability insurer or a similar
entity for the purpose of obtaining or maintaining medical liability
coverage or for the purpose of obtaining benefits from such insurance,
including the reporting of adverse events, fall within “business
management and general administrative activities” under the
definition of “health care operations.” Therefore, a covered
health care provider may disclose individually identifiable health
information to a professional liability insurer to the same extent
as the provider is able to disclose such information for other health
care operations purposes. See 45 C.F.R. § 164.501 (definitions)
and § 164.502(a)(1)(ii) (permitted disclosures). back
to top
Does the Privacy Rule permit covered entities
or their collection agencies to obtain payment from parties other
than the patient, e.g., from spouses or guardians?
Response: Yes, the Privacy Rule permits a covered entity,
or a business associate acting on behalf of, or providing a service
to, a covered entity (e.g., a collection agency), to disclose protected
health information as necessary to obtain payment for health care,
and does not limit to whom such a disclosure may be made. Therefore,
a covered entity, or its business associate, may contact persons
other than the individual as necessary to obtain payment for health
care services. See 45 C.F.R. § 164.506(c). However, the Privacy
Rule requires a covered entity, or its business associate, to reasonably
limit the amount of information disclosed for such purposes to the
minimum necessary, as well as to abide by any reasonable requests
for confidential communications and any agreed-to restrictions on
use or disclosure of PHI. See 45 C.F.R. § 164.502(b). back
to top
Is a doctor or other provider going to be
considered a business associate of a health plan or other payer?
Response: Generally, providers are not business associates
of payers. For example, if a provider is a member of a health plan
network and the only relationship between the health plan (payer)
and the provider is one where the provider submits claims for payment
to the plan, then the provider is not a business associate of the
health plan. A business associate relationship could arise if the
provider is performing a function on behalf of, or providing services
to, the health plan (e.g., case management services). See the discussions
at 67 Fed. Reg. 14776, 14788 (March 27, 2002) concerning this issue.
back to top
Do hospitals or other covered entities need
to monitor their business associates?
Response: No. The Privacy Rule requires covered entities
to enter into written contracts or other arrangements with business
associates that protect the privacy of protected health information.
Covered entities are not required to monitor or oversee the means
by which their business associates carry out privacy safeguards
or the extent to which the business associate abides by the privacy
requirements of the contract. However, if a covered entity finds
out about a material violation of the contract, it must act to end
the violation, and, if unsuccessful, terminate the contract with
the business associate. If termination is not feasible, the covered
entity must report the problem to the Office for Civil Rights. See
45 C.F.R. § 164.504(e)(1). back to top
Am I required to have business associate contracts
with technicians such as plumbers, electricians, or photocopy machine
repairmen who provide repair services?
Response: No. Plumbers, electricians and photocopy repair
technicians do not require access to protected health information
to perform their services for a doctor’s office, so they do
not meet the definition of a business associate. Under the Privacy
Rule, “business associates” are contractors or other non-workforce
members hired to do the work of, or for, a covered entity that involves
the use or disclosure of protected health information. See 45 C.F.R.
§ 160.501. back to top
Are janitorial services business associates?
Response: Generally, no. Janitorial services that clean
the facilities of a covered entity (i.e., a health care provider,
health plan or health care clearinghouse) are typically not business
associates because the work they perform for covered entities does
not involve the use or disclosure of protected health information,
and any disclosure of protected health information to janitorial
personnel that occurs in the performance of their duties (such as
may occur while emptying trash cans) is limited in nature, occurs
as a by-product of their janitorial duties, and could not be reasonably
prevented. Such disclosures are incidental and permitted by the
Privacy Rule. See 45 C.F.R. § 164.502(a)(1). If a service were
hired to do work for a covered entity where disclosure of protected
health information is not limited in nature (such as routine handling
of records or shredding of documents containing protected health
information), it likely would be a business associate. However,
when such work is performed under the direct control of the covered
entity (e.g., on the covered entity’s premises), the Privacy
Rule permits the covered entity to treat the service as part of
its workforce, and the covered entity need not enter into a business
associate contract with the service. See 65 Fed. Reg. 82462, 82480
(December 28, 2000). back to top
Are the following entities considered “business
associates” under the Privacy Rule: U.S. Postal Service, United
Parcel Service, delivery truck line employees and/or their management?
Response: No, the Privacy Rule does not require a covered
entity to enter into business associate contracts with organizations,
such as the US Postal Service, certain private couriers and their
electronic equivalents that act merely as conduits for protected
health information. A conduit transports information but does not
access it other than on a random or infrequent basis as necessary
for the performance of the transportation service or as required
by law. Since no disclosure is intended by the covered entity and
the probability of exposure of any particular protected health information
to a conduit is very small, a conduit is not a business associate
of the covered entity. See 65 Fed. Reg. 82462, 82476 (December 28,
2000). back to top
Are state, county, or local health departments
required to comply with the Privacy Rule?
Response: Yes, if a state, county, or local health department
performs functions that make it a covered entity, or otherwise meets
the definition of a covered entity. For example, a state Medicaid
program is a covered entity (i.e., a health plan) as defined in
the Privacy Rule. Some health departments operate health care clinics
and thus are health care providers. If these health care providers
transmit health information electronically in connection with a
transaction covered in the HIPAA Transactions Rule, they are covered
entities. For more information, see the definitions of covered entity,
health care provider, health plan, and health care clearinghouse
in 45 C.F.R.§160.103.
If the health department performs some covered functions (i.e.,
those activities that make it a provider that conducts certain transactions
electronically, a health plan or a health care clearinghouse) and
other non-covered functions, it may designate those components (or
parts thereof) that perform covered functions as the health care
component(s) of the organization and thereby become a type of covered
entity known as a “hybrid entity.” Most of the requirements
of the Privacy Rule apply only to the hybrid entity’s health
care component(s). If a health department elects to be a hybrid
entity, there are restrictions on how its health care component(s)
may disclose protected health information to other components of
the health department. See 45 C.F.R. § 164.504 (a) – (c)
for more information about hybrid entities. back
to top
Are the following types of insurance covered
under HIPAA: long/short term disability; workers compensation; automobile
liability that includes coverage for medical payments?
Response: No, the listed types of policies are not health
plans. The HIPAA administrative simplification regulations specifically
exclude from the definition of a “health plan” any policy,
plan, or program to the extent that it provides, or pays for the
cost of, excepted benefits, which are listed in section 2791(c)(1)
of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See
45 C.F.R. § 160.103. As described in the statute, excepted
benefits are one or more (or any combination thereof) of the following
policies, plans or programs:
• Coverage only for accident, or disability income insurance,
or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance
and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics
• Other similar insurance coverage, specified in regulations,
under which benefits for medical care are secondary or incidental
to other insurance benefits.
back to top
Is an entity that is acting as a third party
administrator to a group health plan a covered entity?
Response: No, providing services to or acting on behalf
of a health plan does not transform a third party administrator
into a covered entity. Generally, a third party administrator of
a group health plan would be acting as a business associate of the
group health plan. Of course, the third party administrator may
meet the definition of a covered entity based on its other activities
(such as by providing group health insurance). See 45 C.F.R. §
160.103. back to top
The Social Security Administration collects
medical records for the Social Security Income disability program.
Is Social Security Administration a covered entity (e.g., a health
plan)?
Response: The Social Security Administration is not
a covered entity. The collection of individually identifiable health
information is not a factor in determining whether an entity is
a covered entity. Covered entities are defined in HIPAA; they are
(1) health plans, (2) health care clearinghouses, and (3) health
care providers that transmit any health information in electronic
form in connection with a transaction covered in the HIPAA Transactions
Rule. These terms are defined in detail at 45 C.F.R. § 160.103.
back to top
Is the Privacy Rule compliance date delayed
by the Administrative Simplification Compliance Act that was enacted
in December 2001?
Response: No, the compliance date for the Privacy Rule is
April 14, 2003, unless you are a small health plan, in which case
your compliance date is April 14, 2004. The Administrative Simplification
Compliance Act does not apply to the HIPAA Privacy Rule. Rather,
the Administrative Simplification Compliance Act delays compliance
with the Transaction and Code Set standards adopted by the HIPAA
Transactions Rule for covered entities that file a compliance plan.
back to top
HIPAA allows “small health plans,”
defined as health plans having annual receipts of $5 million or
less, an additional year (in the case of the Privacy Rule, until
April 14, 2004) to come into compliance. How should a health plan
determine what receipts to use to decide whether it qualifies as
a “small health plan?”
Response: Health plans that file certain federal tax
returns and report receipts on those returns should use the guidance
provided by the Small Business Administration at 13 C.F.R. §
121.104 to calculate annual receipts. Health plans that do not report
receipts to the IRS - for example, ERISA group health plans that
are exempt from filing income tax returns - should use proxy measures
to determine their annual receipts. back to top
* Taken from the website of the Department of Health and Human Services
|
