Frequently Asked Questions <
l next >
Generally, what does the HIPAA Privacy Rule require the average provider
or health plan to do?
- Who must
comply with these new HIPAA privacy standards?
- May health
care providers leave messages at patients' homes or mail reminders to
- What is the
difference between “consent” and “authorization” under the HIPAA Privacy
- May health
care providers use sign-in sheets or call out names in waiting rooms?
- Can a
physician’s office FAX patient medical information to another
- Do business
associates have obligations to individuals with respect to their
- Does the
HIPAA Privacy Rule allow parents the right to see their children’s
- Does the
HIPAA Privacy Rule require that covered entities document all oral
- What does
the HIPAA Privacy Rule do?
1. Generally, what does
the HIPAA Privacy Rule require the average provider or health plan to do?
For the average health care provider or
health plan, the Privacy Rule requires activities, such as:
- Notifying patients about their privacy rights and how their information
can be used.
- Adopting and implementing privacy procedures for its practice, hospital,
- Training employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy
procedures are adopted and followed.
- Securing patient records containing individually identifiable health
information so that they are not readily available to those who do not need
Responsible health care
providers and businesses already take many of the kinds of
steps required by the Rule to protect patients’ privacy.
Covered entities of all types and sizes are required to
comply with the Privacy Rule. To ease the burden of
complying with the new requirements, the Privacy Rule gives
needed flexibility for providers and plans to create their
own privacy procedures, tailored to fit their size and
needs. The scalability of the Rule provides a more efficient
and appropriate means of safeguarding protected health
information than would any single standard. For example:
- The privacy official at a small physician practice may be the office
manager, who will have other non-privacy related duties; the privacy
official at a large health plan may be a full-time position, and may have
the regular support and advice of a privacy staff or board.
- The training requirement may be satisfied by a small physician practice’s
providing each new member of the workforce with a copy of its privacy
policies and documenting that new members have reviewed the policies;
whereas a large health plan may provide training through live instruction,
video presentations, or interactive software programs.
- The policies and procedures of small providers may be more limited under
the Rule than those of a large hospital or health plan, based on the volume
of health information maintained and the number of interactions with those
within and outside of the health care system.
return to top
2. Who must comply with
these new HIPAA privacy standards?
As required by Congress in HIPAA, the
Privacy Rule covers:
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative
transactions electronically. These electronic transactions are those for
which standards have been adopted by the Secretary under HIPAA, such as
electronic billing and fund transfers.
These entities (collectively called “covered
entities”) are bound by the new privacy standards even if they contract with
others (called “business associates”) to perform some of their essential
functions. The law does not give the Department of Health and Human Services
(HHS) the authority to regulate other types of private businesses or public
agencies through this regulation. For example, HHS does not have the
authority to regulate employers, life insurance companies, or public
agencies that deliver social security or welfare benefits. See the fact
sheet and frequently asked questions on this web site about the standards on
“Business Associates” for a more detailed discussion of the covered
entities’ responsibilities when they engage others to perform essential
functions or services for them.
return to top
3. May health care
providers leave messages at patients' homes or mail reminders to their
Yes. The HIPAA Privacy Rule permits health
care providers to communicate with patients regarding their health care.
This includes communicating with patients at their homes, whether through
the mail or by phone or in some other manner. In addition, the Rule does not
prohibit covered entities from leaving messages for patients on their
answering machines. However, to reasonably safeguard the individual’s
privacy, covered entities should take care to limit the amount of
information disclosed on the answering machine. For example, a covered
entity might want to consider leaving only its name and number and other
information necessary to confirm an appointment, or ask the individual to
A covered entity also may leave a message with a family member or other
person who answers the phone when the patient is not home. The Privacy Rule
permits covered entities to disclose limited information to family members,
friends, or other persons regarding an individual’s care, even when the
individual is not present. However, covered entities should use professional
judgment to assure that such disclosures are in the best interest of the
individual and limit the information disclosed.
In situations where a patient has requested that the covered entity
communicate with him in a confidential manner, such as by alternative means
or at an alternative location, the covered entity must accommodate that
request, if reasonable. For example, the Department considers a request to
receive mailings from the covered entity in a closed envelope rather than by
postcard to be a reasonable request that should be accommodated. Similarly,
a request to receive mail from the covered entity at a post office box
rather than at home, or to receive calls at the office rather than at home
are also considered to be reasonable requests, absent extenuating
return to top
4. What is the difference
between “consent” and “authorization” under the HIPAA Privacy Rule?
The Privacy Rule permits, but does not
require, a covered entity voluntarily to obtain patient consent for uses and
disclosures of protected health information for treatment, payment, and
health care operations. Covered entities that do so have complete discretion
to design a process that best suits their needs.
By contrast, an “authorization” is required by the Privacy Rule for uses and
disclosures of protected health information not otherwise allowed by the
Rule. Where the Privacy Rule requires patient authorization, voluntary
consent is not sufficient to permit a use or disclosure of protected health
information unless it also satisfies the requirements of a valid
authorization. An authorization is a detailed document that gives covered
entities permission to use protected health information for specified
purposes, which are generally other than treatment, payment, or health care
operations, or to disclose protected health information to a third party
specified by the individual. An authorization must specify a number of
elements, including a description of the protected health information to be
used and disclosed, the person authorized to make the use or disclosure, the
person to whom the covered entity may make the disclosure, an expiration
date, and, in some cases, the purpose for which the information may be used
or disclosed. With limited exceptions, covered entities may not condition
treatment or coverage on the individual providing an authorization.
return to top
5. May health care
providers use sign-in sheets or call out names in waiting rooms?
Yes. Covered entities, such as physician’s
offices, may use patient sign-in sheets or call out patient names in waiting
rooms, so long as the information disclosed is appropriately limited. The
HIPAA Privacy Rule explicitly permits the incidental disclosures that may
result from this practice, for example, when other patients in a waiting
room hear the identity of the person whose name is called, or see other
patient names on a sign-in sheet. However, these incidental disclosures are
permitted only when the covered entity has implemented reasonable safeguards
and the minimum necessary standard, where appropriate. For example, the
sign-in sheet may not display medical information that is not necessary for
the purpose of signing in (e.g., the medical problem for which the patient
is seeing the physician).
return to top
6. Can a physician’s
office FAX patient medical information to another physician’s office?
The HIPAA Privacy Rule permits physicians to
disclose protected health information to another health care provider for
treatment purposes. This can be done by fax or by other means. Covered
entities must have in place reasonable and appropriate administrative,
technical, and physical safeguards to protect the privacy of protected
health information that is disclosed using a fax machine. Examples of
measures that could be reasonable and appropriate in such a situation
include the sender confirming that the fax number to be used is in fact the
correct one for the other physician’s office, and placing the fax machine in
a secure location to prevent unauthorized access to the information.
return to top
7. Do business associates
have obligations to individuals with respect to their information?
The Privacy Rule regulates covered entities,
not business associates. The Rule requires covered entities to include
specific provisions in agreements with business associates to safeguard
protected health information, and addresses how covered entities may share
this information with business associates. Covered entities are responsible
for fulfilling Privacy Rule requirements with respect to individual rights,
including the rights of access, amendment, and accounting, as provided for
by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered
entity is required to provide an individual access to his or her protected
health information in a designated record set. This includes information in
a designated record set of a business associate, unless the information held
by the business associate merely duplicates the information maintained by
the covered entity. Therefore, the Rule requires covered entities to specify
in the business associate contract that the business associate must make
such protected health information available if and when needed by the
covered entity to provide an individual with access to the information.
However, the Privacy Rule does not prevent the parties from agreeing through
the business associate contract that the business associate will provide
access to individuals, as may be appropriate where the business associate is
the only holder of the designated record set, or part thereof.
Under 45 CFR 164.526, a covered entity must amend protected health
information about an individual in a designated record set, including any
designated record sets (or copies thereof) held by a business associate.
Therefore, the Rule requires covered entities to specify in the business
associate contract that the business associate must amend protected health
information in such records (or copies) when requested by the covered
entity. The covered entity itself is responsible for addressing requests
from individuals for amendment and coordinating such requests with its
business associate. However, the Privacy Rule also does not prevent the
parties from agreeing through the contract that the business associate will
receive and address requests for amendment on behalf of the covered entity.
Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide
an accounting of certain disclosures, including certain disclosures by its
business associate, to the individual upon request. The business associate
contract must provide that the business associate will make such information
available to the covered entity in order for the covered entity to fulfill
its obligation to the individual. As with access and amendment, the parties
can agree through the business associate contract that the business
associate will provide the accounting to individuals, as may be appropriate
given the protected health information held by, and the functions of, the
return to top
8. Does the HIPAA Privacy
Rule allow parents the right to see their children’s medical records?
Yes, the Privacy Rule generally allows a
parent to have access to the medical records about his or her child, as his
or her minor child’s personal representative when such access is not
inconsistent with State or other law.
There are three situations when the parent would not be the minor’s personal
representative under the Privacy Rule. These exceptions are: (1) when the
minor is the one who consents to care and the consent of the parent is not
required under State or other applicable law; (2) when the minor obtains
care at the direction of a court or a person appointed by the court; and (3)
when, and to the extent that, the parent agrees that the minor and the
health care provider may have a confidential relationship. However, even in
these exceptional situations, the parent may have access to the medical
records of the minor related to this treatment when State or other
applicable law requires or permits such parental access. Parental access
would be denied when State or other law prohibits such access. If State or
other applicable law is silent on a parent’s right of access in these cases,
the licensed health care provider may exercise his or her professional
judgment to the extent allowed by law to grant or deny parental access to
the minor’s medical information.
Finally, as is the case with respect to all personal representatives under
the Privacy Rule, a provider may choose not to treat a parent as a personal
representative when the provider reasonably believes, in his or her
professional judgment, that the child has been or may be subjected to
domestic violence, abuse or neglect, or that treating the parent as the
child’s personal representative could endanger the child.
return to top
9. Does the HIPAA Privacy
Rule require that covered entities document all oral communications?
No. The Privacy Rule does not require
covered entities to document any information, including oral information,
that is used or disclosed for treatment, payment or health care operations.
The Rule includes, however, documentation requirements for some information
disclosures for other purposes. For example, some disclosures must be
documented in order to meet the standard for providing a disclosure history
to an individual upon request. Where a documentation requirement exists in
the Rule, it applies to all relevant communications, whether in oral or some
other form. For example, if a covered physician discloses information about
a case of tuberculosis to a public health authority as permitted by the Rule
at 45 CFR 164.512, then he or she must maintain a record of that disclosure
regardless of whether the disclosure was made orally, by phone, or in
return to top
10. What does the HIPAA
Privacy Rule do?
Most health plans and health care providers
that are covered by the new Rule must comply with the new requirements by
April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to
protect individuals’ medical records and other personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and
others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can
be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of
some forms of data – for example, to protect public health.
- For patients – it means being able to make informed choices when seeking
care and reimbursement for care based on how personal health information may
- It enables patients to find out how their information may be used, and
about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably
needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of
their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their
l next >