HIPAA Health Insurance Portability & Accountability Act of 1996
What is HIPAA? Set of rules passed in 1996 that must be followed by doctors, hospitals, and other healthcare providers to help ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling, and privacy
What does HIPAA require? Confidentiality of Personal Health Information (PHI) The ability for all patients to access their own medical records, correct errors or omissions, and be informed about how personal information is shared or used and about privacy procedures. Shhh…..
What health information is covered? Electronic Records Paper Records Fax Documents Oral Communication
What health information is NOT covered? Information that is NOT “individually identifiable”—cannot be linked to a specific person
Potential consequences for health professionals that don’t follow HIPAA Termination Lawsuit
So let’s figure out when HIPAA has been followed and when it has been broken
Scenario #1 A 32 year old immigrant from a patriarchal country is giving birth in Indianapolis. As she is delivering the baby, she tearfully confesses to her doctor that this is her 4 th child and she simply cannot handle any more children. She tells the doctor that her husband refuses to use contraception or allow her to and she begs her doctor to tie her tubes and not tell her husband. The doctor complies.
Answer #1 The doctor WOULD HAVE violated HIPAA by discussing the matter with the husband after the wife specifically asked her NOT to. Tying her tubes without her husband’s consent would NOT violate HIPAA, though it might violate hospital policies. Many hospitals require husband’s consent for tube-tying to prevent later litigation. The physician’s in a tricky spot on this one!
Scenario #2 An 18-year-old high school senior at RHS gets pregnant. She does not want to have the child and her best friend takes her to a doctor’s office for an abortion. A few days later her mother reads a text about the abortion on her phone and angrily calls the doctor’s office, demanding more information. The receptionist confirms that her daughter visited the office for an abortion.
Answer #2 The receptionist violated HIPAA and could be fired. Because she is 18, the girl’s mother does NOT have any legal rights to her medical information (unless the daughter signed a consent form giving her mother the rights, which seems highly unlikely in this case).
Scenario #3 A mother ed her son’s teacher about his history of seizures. Months later, the teacher replied to the to tell the mother about discipline problems. Communication eventually became contentious. The teacher forwarded the conversation to her best friend, a teacher at the same school. The information about the boy’s seizures was way at the bottom of the strain.
Answer #3 The teacher (though not a medical professional) violated confidentiality and was fired (this is a real example!). If the OTHER teacher had the same student in class, though, that teacher would have a right to the medical information. In this case, the teacher that got the message did NOT have the student in class. That’s why confidentiality was violated.
Scenario #4 A 33 year old woman visited her gynecologist for a routine STD screening. The doctor called back a week later to report the results. The husband answered the phone and the doctor shared the results with the husband.
Answer #4 The doctor violated HIPAA UNLESS the woman had signed a consent form, giving her husband access to her medical information (which many women do). OTHERWISE, the doctor would ONLY be authorized to tell the woman herself the information, not to tell it to the person who answered the phone or even leave it on an answering machine.
Scenario #5 A teacher at RHS decides that he needs to attend an in-patient drug rehabilitation program. He tells his employer that he needs time off “for medical reasons.” The employer requires a FMLA (Family Medical Leave Act) form from the employee’s doctor. The doctor fills it out, including information about the patient’s history with drug use.
Answer #5 The physician did NOT violate HIPAA (though some people don’t like this part of the law). If you need time off and your employer asks for an FMLA form, they WILL receive detailed medical information about you!
Scenario #6 Two nurses who work at Random Community Hospital are shopping together at Wal-Mart after work. As they walk around they talk about their patient Barbara. Although she’s in the hospital for diabetes treatment, they discuss the fact that her crazy “bug-eyes” mean she probably has an overactive thyroid (Graves’ disease). They wonder aloud whether to tell Barbara their suspicions.
Answer #6 The nurses DID violate Barbara’s rights because they spoke about her IN PUBLIC and used IDENTIFYING INFORMATION (her first name).
Answer #7 Two doctors are having lunch together in the Physician Dining Room at Random Community Hospital. As they eat they talk about the man with the terrible butt abscesses that they recently treated. They joke about how bad they smelled and about the fact that the juice that squirted out when they punctured one of the abscesses hit the nurse right in the face.
Answer #7 They did NOT violate HIPAA. They were speaking in a PRIVATE area and BOTH physician’s had Bob as a patient. If it had been in public or one doctor had NOT had Bob as a patient, they would have violated HIPAA.
Scenario #8 A 14-year-old freshman from Random High School is pregnant and visits Gyne Limited. Her mother comes with her and comes into the doctor’s office for the visit. She asks the doctor many questions about the due date, the heart rate of the baby, methods of delivery, genetic risks, etc. The doctor answers all of the mother’s questions.
Answer #8 The doctor did NOT violate HIPAA. All of your medical information may be shared with your parents until you are 18 years old (unless you’re emancipated)
FAQ’s Q:What if I’m accidentally overheard discussing a client’s PHI? A: It is not a violation as long as you were taking reasonable precautions and were discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other and their clients during the course of treatment. These "incidental disclosures" are allowed under HIPAA.
FAQ’s Q: If I overhear patient care information in the elevator or in the hallway, how should I handle it? A:If appropriate, remind the speakers of the policy in private. If the conversation clearly violates policies or regulations, report it to the Privacy Officer.
FAQ’s Q: I work in the hospital and don't need to access PHI for my job, but every now and then a client’s family member asks me about a client. What should I do? A: Explain that you do not have access to that information, and refer the individual to the client’s healthcare provider
FAQ’s Q: What should I do if a government agency or law enforcement person requests information about a client? A:If working with law enforcement is not part of your responsibility, contact your supervisor. If it is your responsibility, provide only the minimum amount necessary to support the investigation after verification of the authority of the individual or organization making the request. Always consult your supervisor or the Privacy Officer if you are unsure what to do. The privacy rules are very specific in this area.
FAQ’s Q: When I am speaking to a client, and friends or family members are in the treatment room, do I assume the client has given me permission to speak of the PHI in front of these people or do I need to ask them to leave? A:It is ok to speak, unless the client objects. If you are uncertain, you can ask the client if it is okay to discuss his/her PHI in front of the person or persons in the room.
FAQ’s Q:Can someone else pick up a client's x-rays, prescriptions, or medical supplies? A:Yes, if in the care provider's professional judgment it is okay to give the prescriptions, x-rays, or medical supplies to that individual.
FAQ’s Q:What if I get a phone call looking for information, and the caller says he/she’s the client? What should I do? A:If the request is made by phone and the requester identifies him/herself as the client, you can ask him/her to provide personal information for verification, such as his/her birth date or Social Security number.
FAQ’s Q:I know that clients have a right to their PHI, but what about parents/guardians of incompetent clients? A:If someone other than the client has the legal right to make healthcare decisions for the client, that person is the client's personal representative and has the right to access the client's PHI. However, if you have good reason to believe that informing the personal representative could result in harm to the client or others, then you do not have to disclose the PHI.
FAQ’s Q:When the law requires me to make a disclosure, such as reporting HIV infection, do I need to tell the client that I disclosed the information? A:You need to tell the client only if he/she asks for an accounting of disclosures, and the disclosure was made without an authorization. If there is good reason to believe that informing the client could result in harm to that individual, then you may not be required to tell him/her. In some cases, government agencies can also require that the client not be informed. If you are in doubt, contact the Privacy Officer.
FAQ’s Q:As part of my job, I have access to a client’s PHI. How do I know which family and friends can be told this information? A: Always ask the client who can receive this information and document the client’s response in the medical record
FAQ’s Q:If the client is not conscious, to whom can we disclose the PHI? A:You will have to decide this on a case-by-case basis. If you know the client's preferences, as in “you can tell my spouse, but not my sister,” then document the request and follow it. Otherwise, use your professional judgment. Always use the Minimum Necessary standard--disclose only information that is directly relevant to the person's involvement with the client's healthcare. Once a client has regained consciousness, he/she will determine when and how to share protected health information.
FAQ’s Q:What about requests to leave protected information on voice mail, an answering machine, or FAX machine? A:If you are asked to send or leave messages, verify with the client or other approved individual that it is okay to leave messages. Make sure you confirm the number and leave only the minimum information necessary. Use a cover sheet identifying the proper recipient. Avoid leaving sensitive information in this manner.
FAQ’s Q:What do I do if I receive a request for PHI by fax? A:Most often, faxed requests for PHI will come from other healthcare providers or payers, like billing agencies or insurance companies although clients may occasionally ask to have information faxed to them. If a client, health provider, or payer requests that you fax PHI, get a specific fax number from them and double-check the number before sending.
FAQ’s Q: What if I find a fax went to a wrong number? A: In the event that a fax went to a wrong number, try to retrieve the communication containing the PHI that was faxed to the wrong number or ensure that the information has been destroyed in a secure fashion.
FAQ’s Q: Can I look up my own records online? A: Yes, healthcare employees can look up their own records if they have access to the systems containing this information.
FAQ’s Q: Can I look up information about my spouse or other family members? A: It depends. You may access a spouse’s PHI only if you have your spouse's prior written permission. Otherwise, it is a serious violation. The same policy applies looking up family, friends, or co-workers. You must get their prior permission in writing.
FAQ’s Q: Can I look up my children’s records? A: It depends. Healthcare employees are allowed to look up the records of children in their custody who are under 11 years old. If your children are 11 years or older, you do not have the right to look up their records, and using the computer to access information inappropriately is a serious violation. You may, however, request information from your children's care providers.
FAQ’s Q: What will happen if the PHI regulations have been violated? A: The healthcare system may face civil or criminal penalties and be substantially fined. Further, employees who knowingly misuse protected health information may be subject to prosecution, fines, and/or imprisonment up to ten years, in addition to any disciplinary actions by their employer.
Want to know more about HIPAA? U.S. Department of Health and Human Services If you have questions or need additional information, visit the official website and take advantage of frequently updated resources there.