Home
FAQ's
HIPAA links
Contact Us

Protecting the Privacy of Personal Health Information

 
 

Compliance & Enforcement

 

How to File a Health Information Privacy Complaint

Health Information Privacy Complaint Form [PDF]

Interim final rule: Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings [PDF]

 
 

GENERAL INFORMATION

 

The Privacy Rule

HIPAA Statute

The Security Rule

Identifier Standards

What is the Privacy Rule and why has HHS issued regulations?

Privacy Rule Summary [PDF]

HIPAA Glossary & Acronyms

 
 

SMALL PROVIDERS & BUSINESSES

 

HIPAA essentials outline

HIPAA Checklist

OCR Summary - HIPAA Privacy Rule

Frequently Asked Questions

Am I a covered entity?

Covered Entity Flowchart

 
 

HIPAA - Related Links

 

Centers for Medicare and Medicaid Services (CMS)

The Privacy Rule and Public Health (CDC)

The Privacy Rule and Research (NIH)

National Committee on Vital and Health Statistics (NCVHS)

Workgroup for Electronic Data Interchange

Portability of Health Coverage - Dept. of Labor

Full List of HIPAA-Related Links

 
 

For Consumers

 

Fact Sheet: Protecting the Privacy of Patients' Health Information

 

Security Standards for the Protection of Electronic Protected Health Information

 
  Frequently Asked Questions    < previous   l   next >

 

11. May health care providers place medical charts on exam room doors?
12. Is an authorization needed to send a medical record to another provider who is treating the patient?
13. What types of insurance are NOT covered under HIPAA?
14. Under what conditions may a health care provider use, disclose, or request an entire medical record?
15. May a health care provider disclose parts of a medical record that were created by another provider?
16. Must I post my entire notice, or may I just post a brief description of it?
17. When is a health care provider a business associate of another health care provider?
18. Is a business associate contract needed for janitorial services and the like?
19. Must a health care provider give a copy of its notice to everyone, or just those that ask for it?
20. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?

 

11. May health care providers place medical charts on exam room doors?

Yes, the Privacy Rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy. The physician or other health care professionals use the patient charts for treatment purposes. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met. See 45 CFR 164.502(a)(1)(iii). As the purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination, the minimum necessary requirement would be satisfied. Examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. Each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.

return to top

 

12. Is an authorization needed to send a medical record to another provider who is treating the patient?

No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual.

return to top

 

13. What types of insurance are NOT covered under HIPAA?

No, the listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:

  • Coverage only for accident, or disability income insurance, or any combination thereof.
  • Coverage issued as a supplement to liability insurance.
  • Liability insurance, including general liability insurance and automobile liability insurance.
  • Workers’ compensation or similar insurance.
  • Automobile medical payment insurance.
  • Credit-only insurance.
  • Coverage for on-site medical clinics
  • Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.

return to top

 

14. Under what conditions may a health care provider use, disclose, or request an entire medical record?

No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures and requests would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes.

The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.

Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual who is the subject of the protected health information.

return to top

 

15. May a health care provider disclose parts of a medical record that were created by another provider?

Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

return to top

 

16. Must I post my entire notice, or may I just post a brief description of it?

Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. The Privacy Rule, however, does not prescribe any specific format for the posted notice, just that it include the same information that is distributed directly to the individual. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.

return to top

 

17. When is a health care provider a business associate of another health care provider?

The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.

return to top

 

18. Is a business associate contract needed for janitorial services and the like?

A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule. See 45 CFR 164.502(a)(1).

If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity’s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service.

return to top

 

19. Must a health care provider give a copy of its notice to everyone, or just those that ask for it?

The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy.

return to top

 

20. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?

No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals.

 

 

 < previous   l   next > 

 
 

Copyright 2003-2010 ©HIPAAnews.org All Rights Reserved.