HIPAA FAQ

HIPAA FREQUENTLY ASKED QUESTIONS

TRAINING
Question: Do I need to train temp employees or extra help that may work in the office for very short periods of time?

Answer: Yes, to cover yourself, take a few minutes to familiarize the employee with HIPAA regulations and document that you have done so. On page 424 of the privacy rule preamble, it says:

“The final regulation requires covered entities to train all members of their workforce on the policies and procedures with respect to protected health information required by this rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Remember that “workforce” includes volunteers – including those who work only for a short period of time.

Question: Do rotating medical students and x-ray techs that participate in educational rounding in my office need training?

Answer: Yes, to cover yourself, take a few minutes to familiarize the employee with HIPAA regulations and document that you have done so. We recommend that anyone (employee, contractor, volunteer, etc.) who could possibly come into contact with patient information be trained on the organization’s policies and procedures with respect to the proper handling and protection of such information. Note that these policies and procedures include sanctions for those who break the rules. Even though it is not strictly required by HIPAA, we suggest that each person, at the completion of their training, sign a statement to the effect that they understand the policies and procedures and agree to abide by them.

Question: If I have an on-site lab, am I responsible for training the employees working in that lab?

Answer: No, it is the lab company’s responsibility to see that their employees receive HIPAA education but you will need to execute a Business Associates Agreement with the lab.

PENALTIES
Question: Who in my physician office is liable for HIPAA penalties?

Answer: HIPAA applies only to covered entities. Covered entities are organizations – not individuals. However, to the extent that organizational liability can be ascribed to individuals associated with it, those individuals could also be liable. Prison terms, for example, cannot be served by organizations – only individuals go to jail. If a doctor sold information about a celebrity patient to a tabloid, the practice (i.e. the organization) would first be found guilty of a criminal violation, after which the doctor could be prosecuted and, if convicted, fined or imprisoned. If blame could not be assigned to a specific individual within the organization, then the penalty would consist of a civil or criminal fine imposed on the organization.

Question: If an ex-employee of mine misuses PHI obtained during their employment, am I still liable?

Answer: No, as long as you had your employee sign a confidentiality agreement and reminded them at time of termination/resignation that it is effective indefinitely.

CONFIDENTIAL CHANNELS
Question: Does HIPAA require the use of this form for all alternate communication requests or do documented notes in patients charts cover this requirement?

Answer: HIPAA does not require the use of any specific forms for such requests, nor does it require that such requests be made in writing, nor does it require that the covered entity maintain records of such requests. The covered entity has the right to require that all such requests be made in writing. It is probably a good idea to maintain written, signed copies of such requests to avoid future misunderstandings.

Question: With the death certificate question - if the physician is the primary care giver on the patient what forms would have to be in place to complete a death certificate?

Answer: If the physician has the direct treatment relationship it would be assumed, after compliance date, that they already have provided notice and have an acknowledgement. Thus it isn't necessary for them to complete anything differently for the death certificate. Of course they should treat the death certificate as a form of PHI. If you are referring to a physician who is completing a death certificate for someone who is not his/her patient, remember the new law calls for Notice only when the physician has a direct treating relationship. If they were called in just to pronounce death no notice is needed.

USES & DISCLOSURES
Question: Is the information I send to my in-house lab, owned by a contracted company, a use or a disclosure?

Answer: Any revelations of information to persons who are not part of your organization’s workforce are “disclosures.” Communications between members of your organization’s workforce are considered “uses.” Your organization has some discretion as to whether personnel who are not on the payroll are nevertheless members of the workforce. If contractor personnel work directly under the supervision of one of your organization’s managers, then they may be considered to be part of the workforce.

Question: Is telling my patient their test results a use or disclosure?

Answer: Neither, if released directly to your patient.

CONSENT
Question: Do I need a new consent to release information to an ENT I have referred my patient to?

Answer: No, one consent covers all disclosures for treatment, payment and healthcare operation purposes. “Coordination of care” is considered to be “treatment.”

Question: Are CASPER reports covered under consents?

Answer: To the extent that CASPER reports can be considered “coordination of care,” they are covered under consent. If multiple pharmacies and physicians confer with each other regarding prescriptions that have been independently written for a specific patient, this could be considered “coordination of care.” Each covered entity must, of course, include such disclosures in their notices of privacy practices. And the patient has the right to request that such disclosures not be made.

Question: Can I accept a faxed copy of a patient’s signed consent form?

Answer: Yes – if you have taken reasonable measures to get it signed and received from the correct person. It would probably be just as convenient, however, to have the patient sign the consent form at the time of treatment (or bring a consent form signed by a personal representative at the time of treatment).

Question: Can I send a consent form home with a minor to be signed by a parent if the minor has driven themselves to my office and if so, can I treat them the day they come to the office?

Answer: This may run afoul of state law governing the requirement to obtain consent for treatment. (Remember that consent for treatment is different from the HIPAA consent to use or disclose PHI for treatment, payment or health care operations.) Treatment may proceed without a signed HIPAA consent if there are “substantial barriers to communication” with the subject individual or his representative. In this case treatment could proceed if the minor child presented the signed consent form or stated that it was in the mail.

Question: Do my patient’s consent forms cover the “indirect exposure” of their PHI that other patients may get in the office?

Answer: No. Such disclosures would not be for treatment, payment or health care operations nor for any of the “public purposes” listed in the notice of privacy practices. The covered entity’s responsibility with respect to such accidental exposure of PHI is set out in the privacy rule at 164.530(c)(2):

“A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.”

Also, such exposures are addressed by several sections of the security rule.

Question: Should my patients receive a copy of their signed consent forms?

Answer: HIPAA does not require this.

AUTHORIZATION
Question: Are Drug Representatives allowed in my back office without authorizations from patients?

Answer: HIPAA does not regulate the locations where drug representatives are allowed to go. HIPAA regulates the disclosures that a physician is allowed to make to the drug representative. If information is revealed to the drug representative as part of a clinical trial, then authorizations would be required from each patient involved. If the drug representative is just making a sales call (i.e. not involved in the treatment of a specific patient) then “incidental” exposure to PHI should be limited unless the representative has signed a business associate agreement.

Question: Do I need an authorizations from my patient to disclose school physical forms and other similar forms?

Answer: If releasing to your patient, no form of permission is needed and if releasing to another entity, such as the school, you will need to obtain an authorization from the patient.

Question: If a physician hands a patient a lab requisition for – is the liability on the patient for releasing the PHI to the labs?

Answer: If a physician hands a lab requisition form to the patient, the patient will take this form to the lab at that point the patient and the lab have a relationship and the lab as a covered entity must then handle the PHI in accordance with its Notice of Privacy Practices. It is irrelevant if the "liability" is on the patient to release the PHI since the lab will require this information from the patient.

Question: What kind of arrangement (if any) needs to be in place to exchange information with a pharmacy? Even calling in a prescription or verification of a prescription by phone?

Answer: Under the revised rule and its preamble there is some clarification about the pharmacy/pharmacists being allowed to use their professional judgment in filling out prescriptions--even when the patient is not present or it is picked up by some one else. That is they can use professional judgment to determine that the person calling is the patient or that the person picking it up is doing so on behalf of the patient.

Question: How does the notice of privacy practices effect a radiologist, pathologist or laboratory that doesn't actually see the patient? Or if they see the patient all of the information is forwarded to the requesting physician and NO charts are kept on sight?

Answer: Providers who don't have a direct treating relationship like the radiologist, etc don't need to provide the patient a Notice or obtain an acknowledgement. IF they are hospital based only they are likely covered by the hospital's organized health care relationship as well. However, if in any way they maintain their own practice (for example we find radiologists doing epidurals in a free standing surgi-center) they then have a direct treating relationship and must publish a notice and make a good faith effort to obtain an acknowledgement. Although there are "no charts" there is other PHI these providers may actually still maintain (consult letters, interpretive reports, billing information, etc.)

DESIGNATION OF PERSONAL REPRESENTATIVE
Question: Is there a HIPAA form required if I have received a Power of Attorney designation from the patient?

Answer: There is no specific HIPAA form used to designate a personal representative. A power of attorney is sufficient to establish the patient’s wishes.

Question: Is a foster parent automatically deemed designated representative? If so, what documentation (if any) does the office need to obtain prior to releasing any information to the foster parent?

Answer: you must check state law in the particular state...does it identify a foster parent as locum parentis (the Department of Child Health Welfare is almost always a locum parentis), or does it identify the foster parent as a legal guardian. In both cases unless superceded by state law this makes the patient a personal representative who is generally entitled to the minor's information. However, you must also check state law (HIPAA defers to state law in cases of minor's rights) to see what restrictions if any are placed on releasing minor's records.

PRIVACY NOTICES
Question: How should my office go about sending Privacy Notices to existing patients?

Answer: It is not required to back date implementation – it is necessary to have a procedure in place at the time of implementation. By posting the notice in your waiting room and offering a copy to each patient as they appear for treatment, you meet HIPAA requirements.

Question: Do we have to supply updates of the Privacy Notice to our patients annually?

Answer: No, the notice should state that updates are available upon request.

Question: Can you give me any suggestions for how to handle the "notice of privacy practices" for physicians who visit hospital patients only (these patients will not return to the office for follow-up visits)? Do they fall under the notice from the hospital (even though the physician is billing with his/her own tin#) or do they need to provide this to every patient (in office and in hospital) that they perform services on?

Answer: The physician doesn't need a separate notice to bill for the services he or she provided at the hospital as long as the hospital's notice is "joint" and includes the physician. But that doesn't cover the physician for any follow up care in their office. A surgeon who sees the patient at their office for suture removal would need to provide that patient with a Notice. If the physician was only hospital based, had no office of his/her own then the Hospital Notice would suffice.

Question: For a state licensed psychiatrist, if they visit patients in a facility (nursing home, SNU, or hospital) are they 'required' to leave a copy of the notes for the facility chart?

Answer: Only if the facility has a joint Notice that covers them.

AMENDMENT REQUESTS
Question: Should I add to the patient’s chart notes that my patient requested an amendment of medical records if that request was denied?

Answer: HIPAA requires that denials of amendment requests be communicated to the patient in writing. The patient then has the option to include in the chart a statement of disagreement. The physician may append a rebuttal to the statement of disagreement. A copy of the rebuttal must also be sent to the patient.

COMPLAINTS
Question: Who do patients complain to?

Answer: Internally – they will complain to the person you have designated as your compliance officer. Externally – they may complain either directly to DHHS or to their attorneys.

Question: Have patients really already been complaining about misuse of PHI or has this act been mandated to get patients to recognize their rights?

Answer: Patients were not complaining about misuse of PHI. The original purpose of HIPAA was to provide health insurance portability. HIPAA is the reason that we now have “COBRA,” whereby a person can pay for his own health insurance between jobs and may not be rejected by the group plan offered by his next employer. Health plans objected to this arrangement as an “unfunded mandate” since they were being forced to take members with pre-existing conditions. Congress added the “administrative simplification” subpart to the legislation in order to offset these additional costs. By enforcing standard transactions and code sets, health plans would be able to avoid paying a number of bogus claims. At the time that this was proposed, Arthur Ashe’s positive HIV diagnosis was leaked to a tabloid. Privacy groups objected to the administrative simplification provisions because keeping everyone’s health information on computers and transmitting it electronically put patient privacy at risk. To counter these objections, Congress added the privacy and security rules.

Protected Health Information
Question: How long do I have to keep medical records per HIPAA , KY state law and/or IN state law?

Answer: HIPAA does not require the retention of medical records at all. The documentation that HIPAA requires consists of communications that are required to be in writing (such as the denial of an amendment request) and items specifically required to be documented (such as signed authorizations). HIPAA requires that such records be kept beginning on the compliance date of the privacy rule (April 14, 2003) for a period of six years beyond their creation or the date on which they were no longer in effect (whichever is later).

Question: Am I allowed to disclose PHI about my patients that came from other providers and is now part of their chart?

Answer: HIPAA does not distinguish between PHI that was created internally vs. PHI that came from outside the organization. You are allowed to use or disclose PHI provided that you have the appropriate permission to do so (verbal agreement, consent or authorization).

Question: What do I do with PHI sent to me in error?

Answer: Shred it and you may want to contact sender to notify of error.

Question: Can my office still use a sign-in sheet?

Answer: They are still OK to use with limited information requested of your patients.

Question: Can I have my patients review their superbill at time of sign in and verify no changes by initialing corner instead of a sign-in sheet?

Answer: This would be fine.

Question: Who uses the PHI inventory I complete?

Answer: It is required that you document where the PHI is in your office but the list itself you will use to ensure that PHI is protected in your office.

Question: Are consult summaries and reports from labs and x-ray that have been sent to me pieces of PHI that I can forward to other physicians?

Answer: Assuming that the purpose of the forwarding is for the treatment of the patient, such disclosures would be allowed.

Question: Can I release PHI, without any form permission, to a parole officer who is calling?

Answer: You can release PHI without permission to a parole officer if that officer is willing to bring you court documentation indicating that the PHI needs to be released.

Question: How long must I keep records on deceased patients?

Answer: Any PHI documentation on a patient must be kept for 6 years per HIPAA, Medical records retention on a patient vary by state law, and most HMO contracts require Medical records on a patient be kept for 10 years.

Question: Can my practice staff leave reminder messages on patient’s answering machines about upcoming appointments?

Answer: This is a judgment call. Nothing in HIPAA precludes the use of answering machines. The covered entity must consider the type of PHI that is being communicated and whether or not it is likely to be intercepted by a person who should not have access to it.

Question: When emergencies occur in my office (i.e. a patient has a heart attack), can I call a family member and release information of the event?

Answer: Normally, the patient must be given the right to object before information is shared with family members. If the condition of the patient is such that the patient cannot express an opinion, the physician may exercise judgment and make such disclosures if they are in the patient’s best interest.

BUSINESS ASSOCIATE AGREEMENTS
Question: Do I need to hold a Business Associates Agreement with Drug Representatives that come into my office?

Answer: No. You only need to have business associate agreements with those to whom you intend to disclose PHI.

Question: Should we have a Business Associate Agreement with our cleaning service?

Answer: You need to have a business associate agreement with anyone who performs a service for you if that service involves disclosures of PHI. The disclosure may be because the PHI is an essential part of the service to be performed (such as the recordings used by a transcriptionist) or because the incidental exposure of PHI is unavoidable (such as PHI that may appear in traces used by computer troubleshooters). If there is no way to avoid giving the cleaning service access to PHI, then you must have a business associate agreement in place.

Question: Are business associate agreements necessary with OSHA, CLIA, etc.?

Answer: No. Governmental oversight agencies are not business associates. (They would never sign your agreement and you can’t hold information back from them.) JCAHO, however, is a business associate.

Question: Are business associates agreements and chain of trust agreements an “either/or” or an “and”?

Answer: Business associate agreements and chain of trust agreements serve two distinct purposes. A business associate agreement ensures that the business associate will protect the privacy rights of the subject individual (i.e. not engage in any unauthorized uses or disclosures of PHI). A chain of trust agreement ensures that a trading partner (i.e. someone with whom a covered entity exchanges data electronically) will maintain the security of transmitted data and observe a standard of due care (i.e. authentication, access control and audit). The business associate agreement is required by the privacy rule; the chain of trust agreement is required by the security rule. In some cases, both agreements will have to be negotiated; in other cases only one of the two will be required.

Question: Will my office need a business associate agreement with my patients interpreters since we are required to pay for their services?

Answer: If the interpreters are performing a service for your office they are business associates, and the agreement would have to be in place. If they are “persons involved in the health care of the individual” they are not business associates. Who meets the interpreter first, the clinic or the patient?

Question: If my cleaning service is provided to me through my leasing agent, so I hold a BA agreement with the leasing agent or the cleaning service or both?

Answer: You would need to hold a BA agreement with the leasing agent who is responsible for their employees and subcontractor’s employees.

Question: We have seen, and had requests to combine the business associate agreement and the chain of trust agreement, has this been addressed by PrivaPlan as to the pro's and con's?

Answer: We have not addressed this since only some BA's also need to accept the chain of trust; thus we thought it wise to keep them separate and let the user combine. But we are open to reviewing this further.

CHAIN OF TRUST AGREEMENTS
Question: If I wait to get my Chain of Trust Agreements could I put myself in danger of not being able to file claims?

Answer: Not if you don’t wait too long – once the security regulations have been finalized, you will have two years to begin assuring compliance with all of the finalized compliance criteria.

SYSTEM SECURITY
Question: Why have passwords if we already have staff confidentiality statements?

Answer: Passwords are used at the beginning of a computer session to prove the claimed identity of the person sitting at the keyboard. This process is known as “authentication.” Once a session is begun with an authenticated user, the system access control mechanisms can ensure that the access to data that the user has is appropriate to that specific user. Similarly, the logging mechanisms that are employed will create records that show accurately which functions the user performed or tried to perform.

Question: Will my software vendors give me a certificate indicating they or their products are HIPAA compliant?

Answer: If they tell you they are HIPAA compliant, you should request something in writing for your documentation.

Question: Is it ok to access our transcription service from home via the internet if I am required to use a password to get to any PHI?

Answer: The security rule requirement is that data that is transmitted across the Internet must be encrypted. This is in addition to the authentication (i.e. password) requirement.

POLICIES & PROCEDURES
Question: Does our “Archive Staff” need to be listed by name(s) in our policies and procedures?

Answer: No, you could use titles.

Question: How big should my “Compliance Committee” be?

Answer: At least one person. As many other people as that person can convince, entice, interest, cajole, threaten, seduce, blackmail or otherwise talk into helping with the compliance project.

Question: Why is the “office manager” the suggestion for the person heading up the compliance tasks at my office?

Answer: Typically the office manager is a person with the authority to delegate as needed through the HIPAA compliance implementation process, but any position with this authority would be fine.

Question: Do I need two binders, P&Ps, committees, etc. if I have two physicians with two tax id numbers?

Answer: A single set of documentation should suffice if the two physicians are part of the same covered entity. They could have two separate tax id numbers but be a single covered entity. For example, they could be part of the same affiliated entity or organized health care arrangement.

Question: Will it be a problem during an audit because the latter from the attorney in my binder is not addressed to me?

Answer: No.

TRANSACTION & CODE SETS
Question: Why would I request an extension on transaction and code sets if I feel I am already compliant?

Answer: Because you might not, in fact, be compliant. Because it only takes five minutes to file for the extension. Because if you are not compliant and have not filed for the extension, you may not be able to submit Medicare claims.

MINIMUM NECESSITY
Question: Isn’t it sometimes in the best interest of the patient to release more information for treatment purposes instead of only information that relates to the patient’s current diagnosis and does HIPAA allow for this to happen?

Answer: The minimum necessary requirement does not apply to disclosures made for treatment purposes.

Question: How much information can be released to a specialist? What if they request more information than what is directly related to current diagnosis?

Answer: HIPAA does not impose any limit on the amount of information that may be released to a specialist, assuming that the information is being released for treatment purposes. (“Minimum necessary” does, however, apply to disclosures made for payment or health care operations purposes.)