HIPAA FAQs from ChiroCare
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of health care information, and help the health care industry control administrative costs.
Protected Health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific person. This includes any part of a patient’s medical record or payment history. PHI must be de-identified before the dataset may be shared publicly to preserve patient privacy.
De-identified health information neither identifies nor provides a reasonable basis to identify an individual. To create a de-identified record according to HIPAA, all of the following information about a patient, as well as similar information about the patient’s relatives, employer, and household members, must be removed:
- Street address, city, county, precinct, and ZIP Code
- Dates directly related to any individual, including birth date, admission date, discharge date, date of death
- Telephone and fax numbers
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which U.S. Department of Health and Human Services (HHS) has adopted standards.
HIPAA Privacy Rules require that reasonable efforts be made to limit the amount of PHI to the minimum amount that is necessary to accomplish the purpose of the use or disclosure. This requirement does not apply when a health care provider discloses information to another provider for treatment purposes, or when a health care provider requests information from another provider for treatment purposes. Accordingly, the minimum necessary standard should not interfere with a doctor’s ability to provide appropriate treatment to patients.
The minimum necessary standard also does not apply when the health care provider releases information: (1) directly to the patient, (2) pursuant to a patient’s authorization, or (3) for disclosures that are required by law or are necessary to comply with the Privacy Rules.
HIPAA defines those organizations or people, other than a member of a covered entity’s workforce, hired to handle PHI client information—e.g. billing services, IT support, online data backup services, etc.—as “Business Associates.” The law states that health care providers can work with such services if they “…obtain satisfactory assurances that the business associate will appropriately safeguard [personally-identifying client information].” That “satisfactory assurance,” as a standard, takes the form of a contract called a Business Associate Agreement, or “BAA” for short. Note: The “HIPAA Omnibus Rule” modified the Health Insurance Portability and Accountability Act (HIPAA) making business associates and subcontractors of business associates of covered entities directly liable for compliance with certain provisions of the HIPAA Privacy and Security rule.
The HIPAA Privacy Rule gives patients a right to be informed of the Privacy Practices of health care providers and health plans and of their privacy rights regarding their protected health information. Health care providers and health plans that are subject to HIPAA are required to develop and distribute a notice containing certain elements that provides a clear, user-friendly explanation of these rights and practices. Pre-approved model notices of privacy practices are available through healthIT.gov.
Yes. The Privacy Rules allow this type of patient communication, but precautions must be taken to safeguard the patient’s privacy. For example, answering machine messages should be limited to the appointment time or to request that the patient return the call. The Privacy Rules also allow messages to be left directly with the patient’s family member or companion.
Doctors are allowed to disclose information about the patient’s care to the patient’s family members and friends, even if the patient is not present or has not affirmatively given the physician permission to do so, as long as the doctor believes that the disclosure is in the patient’s best interest. If the patient has expressly directed that there be no disclosure to specific family members or friends, however, the patient’s wishes must be respected.
Also, if a patient requests confidential communications, the request must be accommodated if it is reasonable. For example, it would be reasonable for a patient to request that all mailings be sent to a specific address (e.g., to the patient’s office instead of home, or vice versa), or be sent in a closed envelope instead of on a postcard.
Yes. The Privacy Rule generally allows a parent to have access to a child’s medical records as the minor child’s personal representative when such access is not inconsistent with state or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are:
- When the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law.
- When the minor obtains care at the direction of a court of a person appointed by the court.
- When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.
Yes. To the extent these activities result in other people learning a patient’s name or other information, the disclosure would be considered “incidental” to patient treatment, and, therefore, acceptable under HIPAA. Appropriate precautions should be taken to limit the amount of information that might be incidentally disclosed in this manner. For example, “reason for visit” should not be included on a sign-in sheet. With respect to placing charts outside of an examination room, the front of the chart should be turned toward the wall.
You may use or disclose PHI for treatment, payment and health care operations activities. Disclosure of data to insurance companies for treatment, payment or operations must include data safeguards. Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability, and to prevent unauthorized or inappropriate access, use or disclosure. It is important to assess your practice and organization to understand all modes of transmission of PHI and develop standard processes and training for all data. Note: The HIPAA Security Rule establishes standards for protecting information that is held or transferred in electronic form.
Email: The Privacy Rule allows sharing of PHI electronically (or in any other form) for treatment or payment purposes, as long as reasonable safeguards are applied. The Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications. A covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. For example, if you don’t use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI.
Flash drive: If you use flash drives, or other movable media such as CDs, use password protection and encrypt the file. Protocol, training and tracking of who can use removable storage devices represent additional best practices for ensuring appropriate safeguards.
Fax: You must have in place reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate include confirming that the fax number to be used is the correct one, using a fax cover-sheet that does not contain PHI, and placing the fax machine in a secure location to prevent unauthorized access to the information. Additional safeguards should be considered when faxing highly confidential information.
Mail: Like other forms of PHI,you must have in place reasonable and appropriate safeguards to protect the privacy of PHI that is disclosed via mail. One of the biggest problems with mailing medical records is human error. Ensure that staff is well trained and measures such as verifying addresses are included. Note: If you are mailing movable media such as flash drives, the files on the flash drive should be encrypted.
No. PHI may not be shared with your association without authorization from your patient(s). Appropriately de-identified data may be shared with your association because it is no longer considered PHI.
Generally, the Privacy Rule applies uniformly to all PHI, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections.Sharing of PHI electronically (or in any other form) for treatment or payment purposes is permitted, as long as reasonable safeguards are applied when doing so.
Treatment, payment and operation: Like other PHI, mental health information for treatment, payment or operations may be shared.
Patient family, friend or others: In situations where the patient does not object, HIPAA allows health care providers to share or discuss mental health information with family members or others involved in the patient’s care or payment for care. For example, a provider may ask the patient’s permission to share relevant information with others; tell the patient the information will be discussed and give them an opportunity to agree or object; or infer from the circumstances that the patient does not object.
Communications between providers and others should be limited to information directly relevant to that person’s involvement in the patient’s care. If the provider does not believe the patient has the capacity to agree or object to sharing information, and that sharing the information is in the patient’s best interests, the provider may talk to others involved in the patient’s care. In either case, the provider may share or discuss only information others need to know about the patient’s care or payment for care. A provider should not share a patient’s information with others if the patient has asked that it be kept confidential. The HIPAA Privacy Rule does, however, permit a health care provider to disclose information to family members or others involved in the patient’s care or payment for care, regardless of patient consent, if there is a perceived serious and imminent threat to the health or safety of the patient or others and they are in a position to lessen the threat.
HIV/AIDS:Discussing, diagnosing, and treating HIV/AIDS is a sensitive, private issue. The need for privacy and security must be carefully balanced with the appropriate sharing of patient information. There are instances where health care providers must reveal patient information to someone other than the patient. For example, providers are required to report the names of people who have a positive HIV test to public health authorities for infectious disease surveillance. HIPAA expressly permits PHI to be shared for specified public health purposes. The HIPAA Privacy Rule allows covered entities to disclose PHI to public health authorities when required by federal, tribal, state, or local laws.
Providers may also share a patient’s medical information with the other providers to coordinate care and to manage HIV/AIDS as a chronic condition.
Minors: the Privacy Rule generally allows parents to have access to their children’s medical records as a minor child’s personal representative when such access is not inconsistent with state or other law.
There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are:
When the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law;
When the minor obtains care at the direction of a court or a person appointed by the court; and
When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.
However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when state or other applicable law requires or permits such parental access. Parental access would be denied when state or other law prohibits it. If state or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise professional judgment to the extent allowed by law to grant or deny parental access to a minor’s medical information.
A provider may choose not to treat a parent as a personal representative when the provider reasonably believes that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.
Yes. A doctor may disclose PHI to another doctor or other health care provider for treatment. The doctor does not need to limit or otherwise restrict the amount of information disclosed for purposes of treatment. The only exception applies to a mental health professional’s personal psychotherapy notes, which may be disclosed only with the patient’s authorization. For example: A primary care provider may send a copy of an individual’s medical record to a specialist or chiropractor who needs the information to treat the individual.
The following are examples of common mistakes:
- Lost or stolen patient paper records.
- Lost or stolen cameras or data storage devices that have unencrypted patient data.
- Failure to provide Notice of Privacy Practices.
- Impermissible uses and disclosures of PHI.
- Failure to provide patient access to PHI.
- Careless handling of patient information.
- Unauthorized access or disclosure of patient information.
- Sharing passwords or enabling others to work under the same user ID.
- Accessing electronic patient information without first logging on with a unique identification or password, failing to log off, shut off, or otherwise protect computer.
- Gossiping about a patient’s health information.
- Faxing documents containing patient information to the wrong recipient or fax number.
- Mailing reports or billing statements containing patient information to the wrong patient or wrong address.
- Giving patient information or documents to the wrong patient.
- Leaving printed documents containing patient or other confidential information unattended in a public place.
- Sharing sensitive patient information while visitors are present in the room without giving the patient an opportunity to object or consent.
The following are examples of how best to avoid HIPAA violations:
- Training for all doctors and staff members
- Risk analysis and risk management
- Policies and procedures
- Access control
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to conduct a risk assessment of their health care organizations. A risk assessment helps ensure compliance with HIPAA’s administrative, physical and technical safeguards. A risk assessment also helps reveal areas where protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and its benefits.
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that result in jail time.
Fines increase with the number of patients and the amount of neglect. Starting with a breach where the provider didn’t know and, by exercising reasonable diligence, would not have known that a provision was violated, to the other end of the spectrum where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).
The fines and charges are broken down into two major categories: “Reasonable Cause” and “Willful Neglect.” Reasonable Cause ranges from $100 to $50,000 per incident and does not involve jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.