Frequently Asked Questions about HIPAA
The following "FAQs" do not constitute legal advice and are provided solely for the convenience and use of members of the American Medical Association. Information is based on current federal law (at the time of posting) and is subject to change based on changes in federal law or subsequent interpretative guidance. Users of this information must consider applicable state law where that state law is more stringent than the federal law.
Although April 14, 2003 was the deadline for complying with the HIPAA Privacy Rules, questions and misconceptions continue to exist. In an effort to facilitate access to guidance, the AMA has compiled the following list of FAQs. We'll keep listening to your questions and post responses, so please check back for updates.
Yes. The Privacy Rules do not prohibit a "covered entity" from faxing protected health information.
A physician should be sure, however, to comply with the Privacy Rules' requirements for disclosures generally. For example, the physician should check whether the "minimum necessary" rule applies and, if it does, limit the information in the fax to the minimum necessary information.
Also, a physician should be sure to have appropriate security safeguards in place that are administrative, technical, and physical in nature. For example, the physician should use policies and procedures that require office staff to verify the recipient's fax number and use a cover sheet that does not include protected health information.
The Privacy Rules require a physician to make reasonable efforts to limit the amount of protected health information that the physician uses or discloses to the minimum amount that is necessary to accomplish the purpose of the use or disclosure.
Importantly, this requirement does not apply when a physician discloses information to another provider for treatment purposes or when a physician requests information from another provider for treatment purposes. Accordingly, the minimum necessary standard should not interfere with a physician's ability to provide appropriate treatment to patients.
The minimum necessary standard also does not apply when the physician releases information: (a) directly to the patient, (b) pursuant to a patient's authorization, or (c) for disclosures that are required by law or are necessary to comply with the Privacy Rules.
The Privacy Rules do not prohibit a covered entity from faxing protected health information to a physician.
If a covered entity refers to the Privacy Rules as the reason the covered entity will not fax information to a physician, the physician may direct the covered entity to the Department of Health and Human Services' Frequently Asked Questions at: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html. The physician may also find it helpful to assure the covered entity that appropriate safeguards are in place to receive the fax securely.
Yes. Physicians may use any method of communication — including e-mail, oral conversations, written letters, or other methods (including sending facsimiles) — so long as the physician uses "reasonable and appropriate safeguards" to protect the communication.
The Privacy Rules require physicians to use appropriate administrative, technical, and security safeguards to protect the privacy of protected health information — including oral communications. This means that physicians must use reasonable efforts to have protections in place, but they do not need to make expensive structural changes to "soundproof" their offices. The Department of Health and Human Services addresses this topic in one of its Frequently Asked Questions at http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html.
Physicians who would like to learn more about protecting oral communications through use of "sound masking" or "acoustic engineering" tools can review a paper entitled "Oral Communications: Myths and Facts White Paper," one of the "SNIP Work Products" posted on the Web site of the Workgroup for Electronic Data Interchange (WEDI)/Strategic National Implementation Process (SNIP) at http://www.wedi.org.
This depends on whether the person calling has a role in taking care of the patient and whether the physician believes, in his/her professional judgment, release of the patient's information is in the patient's interest and relates to the person's involvement in the patient's care.
The Privacy Rules allow a physician to share a patient's information with the patient's family member or friend so long as the information is limited to information directly relevant to that person's involvement in the patient's care. For example, a physician may tell a person living with the patient that the patient needs plenty of rest and lots of fluids or that the patient needs to take a prescribed medication twice daily with food. The physician should not share more information than the person needs to assist with the patient's care.
A physician should not share a patient's information with the patient's family or friends if the patient has asked the physician not to or if the physician believes, in his/her professional judgment, a disclosure would be inappropriate.
"Some physicians are complaining that the Privacy Rules are making it hard for them to get information about their patients. For example, there have been reports of physicians unable to check on a patient who has been transferred to another hospital or unable to get information from a specialist who is seeing one of the physician's patients. How does a physician keep these problems from interfering with his/her practice?"
The Privacy Rules do not place any restrictions on the ability of a covered entity to share a patient's protected health information with a physician for treatment purposes.
The best way for a physician to respond to this problem is to be armed with knowledge about what the Privacy Rules actually do and do not prohibit. The physician should be ready to explain that the Privacy Rules permit a covered entity to share unlimited protected health information with a physician for the physician to use for treatment purposes. The Privacy Rules state that "A covered entity may disclose protected health information for treatment activities of a health care provider" (45 C.F.R. § 164.506(c)(2)) and that the minimum necessary requirement "does not apply to….Disclosures to or requests by a health care provider for treatment" (45 C.F.R. § 164.502(b)(2)(i)).
Department of Health and Human Services - Frequently asked questions
A physician may always disclose protected health information to another physician or other health care provider for treatment. The physician does not need to limit or otherwise restrict the amount of information disclosed for purposes of treatment.
The only exception applies to a mental health professional's personal psychotherapy notes, which may be disclosed only with the patient's authorization.
Yes. The Privacy Rules allow a physician to communicate with patients, including communications to the patient's home. When making these types of communications, however, the physician should take precautions to safeguard the patient's privacy. For example, when leaving a message on the patient's answering machine, the physician should limit the amount of information left in the message to just the information necessary to confirm the appointment time or to request that the patient call the physician's office.
The Privacy Rules also permit a physician to leave a message directly with the patient's family member or companion. Physicians are allowed to disclose information about the patient's care to the patient's family members and friends, even if the patient is not present or has not affirmatively given the physician permission to do so, so long as the physician believes, in his/her professional judgment, that the disclosure is in the patient's best interest. However, if the patient has expressly directed that there be no disclosure to specific family members or friends, the patient's wishes must be respected.
Also, if a patient has requested that the physician communicate in a confidential manner, the physician must accommodate the request if it is reasonable. For example, it would be reasonable for a patient to request that all mailings be sent to a specific address (e.g., to the patient's office instead of home, or vice versa), or be sent in a closed envelope instead of on a postcard.
Yes. To the extent these activities result in other people learning a patient's name or other information, the disclosure would be considered "incidental" to the physician's treatment of the patient, and therefore acceptable under HIPAA.
Physicians should take appropriate precautions to limit the amount of information that might be incidentally disclosed in this manner. For example, physicians should not ask patients to list "reason for visit" on a sign-in sheet. With respect to placing charts outside of an examination room or the patient's hospital room while the patient is waiting to see the physician, the physician should take precautions such as turning the front of the chart towards the wall so others do not have the opportunity to read the front page while walking past the room.
Yes. The Privacy Rules allow hospitals to disclose patients' names and other directory information to anyone asking for the patient by name or to the clergy. Patients do not need to sign up to be included in the directory, but must be allowed to "opt out" and choose not to be listed.
Yes. The Privacy Rules limit the types of disclosures that are acceptable, but do not limit the ability of a physician to make a disclosure to any particular type of recipient, including a non-U.S. recipient.
A physician must enter into a Business Associate Agreement with its transcription company, regardless of where the company is located, so that safeguards to protect privacy are in place at the transcription service. The Privacy Rules require physicians to use appropriate safeguards when storing or transmitting information (within or outside of the U.S.), and the physician is responsible for ensuring that a subcontractor (such as a transcription service), wherever located, uses appropriate safeguards too.
Depending on where the physician is sending the patient information, local laws may also apply and the physician should consider consulting with legal counsel there as well.
Yes. The Privacy Rules explicitly allow a physician to disclose protected health information for law enforcement purposes, although the physician must comply with certain requirements. For example, the type of information that may be disclosed may be limited and the physician may need to verify the identity and authority of the officer making the request. To learn more about the requirements for disclosing protected health information to the police, check the Department of Health and Human Services' Frequently Asked Questions at: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html.
No. The Privacy Rules do not prevent 911 dispatchers or emergency medics from using and disclosing patient identifiable information in the course of assisting injured persons.
The Privacy Rules do not apply to most police and fire departments. Even when the Rules do apply, police and fire persons may use and disclose identifiable information while performing their duties, including releasing names and information about accident victims, homicides, and other incidents.
At least for now, the Office for Civil Rights ("OCR," the agency responsible for enforcing the Privacy Rules) has indicated that enforcement will be complaint-based. Accordingly, OCR will respond to complaints that are filed but will not proactively investigate.
If a patient has a complaint that a physician violated the patient's privacy rights, the patient may choose to complain to the physician, to OCR, or to both. If the patient complains to OCR, OCR or the Department of Justice ("DOJ") will likely follow up with the physician to request an explanation and response. OCR/DOJ may ask the physician to implement a voluntary corrective action plan. It is unlikely that OCR or DOJ would make an on-site investigation unless the physician was uncooperative or the government determined that an on-site investigation was necessary.
So far, it appears that OCR has not issued any fines. A violation of HIPAA can result in civil fines and/or criminal penalties, however, so it is important that physicians come into compliance as soon as possible and respond quickly to complaints.
Yes, in some instances. The privacy protections HIPAA affords are not limited durationally, therefore the medical record of a deceased patient is subject to all restraints on disclosure that are applicable to the record of a living patient. Typically a patient's "authorization" would be required to release the record. When authorization is unavailable, however, HIPAA permits disclosure of medical records in two scenarios.
First, disclosures for treatment purposes are permitted. The Protected Health Information of the deceased can be released to another health care provider to facilitate that provider's treatment of a surviving family member.
Second, dislosures to persons who are legally authorized to act for the decedent patient are allowed. Physicians presented with such a request from a representative of a decedent should be certain that; 1) the requestor has the legal authority to act for the decedent or the decedent's estate, 2) the requested information is relevant to the requestor's representation, and 3) the requestor in fact has the authority they claim to have.
State law dictates whether the requestor has the legal authority to act for the decedent as claimed. Professional discretion should be exercised by a physician to determine the relevancy of the requested information. The authority of a requestor can be verified through presentation of court documents, such as "Letters Testamentary," or in the alternative, "Letters of Administration." Professional judgment can also be relied upon in determining authority.
Yes—in limited circumstances. A provider (or provider group) would be exempt from the HIPAA privacy requirements where (a) the provider 1) has less than 10 full time employees and 2) all claims transactions to all payors are made solely on paper (regardless of whether the provider participates in Medicare or not); OR (b) the provider 1) has a practice of any size and 2) all claims transactions to all payors are made solely on paper and 3) the practice does not participate in Medicare.
Under the HIPAA privacy regulations, "a health care provider who transmits any health information in electronic form" is a "covered entity." Thus, a practice that accepts or uses any electronic transactions (or uses a business associate to do so) must comply with the privacy regulations--whether the practice has more or less then 10 full time employees.
Providers with 10 or more full time employees, which might otherwise wish to conduct all claims transactions solely on paper, will—if claims are submitted to Medicare—be required to comply with the HIPAA privacy requirements. This is because the HIPAA Transactions and Code Set (TCS) regulations that became effective in October, 2003 require practices with 10 or more full time employees to conduct all Medicare transactions electronically. While at the present time (January 2004), a contingency plan enables Medicare to accept legacy (paper) claims, the contingency plan does not exempt covered entities from compliance with applicable privacy regulations. A reminder: the present contingency arrangement for compliance with the TCS regulations will not continue forever. Any practice with 10 or more full time employees that accepts Medicare must convert to electronic claims as soon as possible.
A Notice of Privacy Practices is a document required by the Privacy Rules that explains how a physician may use and disclose a patient's information and what rights a patient has with respect to the medical information about him/her that is maintained by the physician. The Privacy Rules impose specific requirements for the Notice of Privacy Practices regarding what must be included and how the information should be presented.
The AMA has posted a sample Notice of Privacy Practices (Word, 56KB) as well as links to other samples.
A "direct treatment provider" (e.g., a primary care physician) must provide the Notice of Privacy Practices to each patient at the time of first service delivery. The direct treatment provider must make a good faith effort to obtain the patient's written acknowledgement of receipt. A physician is temporarily relieved of the provision and acknowledgement requirements in emergency circumstances, but must provide the Notice as soon as reasonably practicable after the emergency situation.
A physician is not required to obtain the patient's written acknowledgement of receipt so long as the physician documents that he/she attempted to obtain such acknowledgement and why the acknowledgement was not obtained.
If there is a physical service delivery site, the Notice must be posted in a clear and prominent location and copies of the Notice must be available for patients to take with them upon request.
An "indirect treatment provider" (e.g., a pathologist or radiologist) is not required to distribute a Notice of Privacy Practices except to provide a copy to a patient upon request.
No. The Privacy Rules do not require a physician to obtain the patient's consent for uses and disclosures of the patient's information. While some physicians may wish to obtain consents, all that is required is providing the Notice of Privacy Practices discussed above.
No. A physician must provide the Notice even if the patient has provided a consent for the physician to make uses and disclosures with the patient's information. As explained above, the Privacy Rules require a physician to provide the Notice and seek a written acknowledgement of receipt of the Notice.
No. Unless a sales representative is doing something outside of the representative's normal role, a sales representative is not a "business associate" of a physician. The sales representative is acting on behalf of the pharmaceutical manufacturer, not on behalf of the physician. However, a sales representative does not need, and should not have access to, a patient's protected health information as part of the representative's sales visit to the physician.
No. The Privacy Rules require physicians to adopt reasonable safeguards to protect the security of protected health information and to protect against inadvertent disclosures. The reasonable safeguard requirement does not mean that a physician must obtain a confidentiality agreement from visitors who might have access to patient information.
Physicians should take other measures, however, such as not allowing visitors to roam freely through the office or examination areas and keeping medical records and other notes away from plain view of office visitors.
Yes. The Privacy Rules do not require physicians to have sales representatives sign any type of confidentiality agreement—neither a Business Associate Agreement nor a more general confidentiality agreement. A physician may, however, ask a sales representative to sign a confidentiality agreement if the physician believes it would be useful to protect the confidentiality and security of information maintained by the physician.
Yes. The Privacy Rules expressly permit a physician to make adverse event reports to a person or entity subject to the FDA's jurisdiction, such as a pharmaceutical manufacturer. As an added precaution to protect patient privacy, and to be sure a report is directed appropriately, physicians should make adverse event reports directly to the drug safety (or other appropriate department) of the manufacturer rather than to the sales representative.
As with the majority of disclosures that are not for treatment purposes, physicians should disclose only the minimum amount of information that is necessary to make the report.
No — unless the physician has obtained a valid authorization from the patient to share the information for these purposes. A sales representative may sit in on a patient's exam or treatment only if the patient has signed a valid authorization expressly allowing the sales representative to do so. The physician should provide the patient with sufficient opportunity to read the authorization form and ask questions before the patient decides whether to provide permission.
No — unless the physician has obtained a valid authorization from the patient to share the information for these purposes.
Physicians may continue to engage in discussions with sales representatives about a particular drug's side effects, benefits, or other qualities. Physicians should ensure, however, that they do not use identifiable information when having these discussions. If the physician wants to discuss a specific patient in a manner that might reveal the patient's identity, the physicians should obtain a valid authorization from the patient prior to engaging in the discussion.
No — unless the physician has obtained a valid authorization from the patient to share the information for these purposes.
There may be an argument that this type of disclosure can be categorized as a disclosure for treatment purposes as the "coordination or management of health care by a health care provider with a third party," and therefore an authorization would not be necessary. Until clarification of the Privacy Rules becomes available, physicians should obtain a valid authorization prior to making such a disclosure.
No. This would require the physician to obtain a valid authorization from each patient giving the physician permission to disclose the patient's protected health information to the pharmaceutical manufacturer for this purpose.
The AMA has many helpful resources available to assist physicians with HIPAA Privacy compliance, including sample forms, and explanations of important requirements at the AMA Compliance Resources Web page.
Yes. The Department of Health and Human Services, Office of Civil Rights, maintains a Web site that provides a variety of helpful information, including forms and many educational materials about the Privacy Rules.
View links from the AMA's Web site to other resources.
The AMA has many helpful resources to assist physicians with all of HIPAA's requirements.
Learn more about the Transaction and Code Set Rules, including information about the AMA's Click and Complain HIPAA Complaint Form, which allows physicians and their office staff to register complaints with the AMA about health plans, clearinghouses, and other entities that are not acting in compliance with the Transaction and Code Set Rules which became effective October 16, 2003.
Learn more about the Security Rules for which compliance will be required in April, 2005.
Yes. Although HIPAA usually preempts contrary state law, there are four situations in which state law preempts HIPAA. The exceptions are for: 1) state reporting laws; 2) health plan reporting and information; 3) specific exemptions determined by the HHS secretary; and 4) when state health privacy provisions are more stringent.
State law, state constitutions, regulations, rules, common law, and other state actions that have the force and effect of law may all give rise to these exceptions.