Ask the Expert: Answers to Questions Ask a Question Question # 613: I would like to know what gamma hydroxybutyrate is, because I think some one had slipped it to me a couple of weekends ago. So I wanted to see all the side affects, what it does to you. Answer: This is not a HIPAA question. We do not identify drugs or their side effects. Question # 611: Is it a HIPPA violation to hang patients Christmas Cards in the waiting room if they signed their first and last name? Answer: No, this would not be a violation. Question # 610: I am a Business Manager in a dental practice. I want to know if it is a HIPPA violation to send out reminder postcards to patients about their dental appointments? The card includes the patients name and address on one side and the date and time of their appointment. Answer: No. The only violation would be if PHI were included on the card. An appointment is not PHI. Question # 332: There are a number of cemetery websites that have genealogical information available about the deceased in a searchable format for that cemetery. Is this in violation of the Hipaa regulations or do the deceased have no rights? Answer: HIPAA applies only to certain entities. Cemetaries are not on that list. Question # 250: Is it against HIPAA regulations for either a doctor's or a dentist's office to leave a message on a patients answering machine confirming or reminding them of an upcoming appointment? Similarly, is it a violation to leave a verbal message with a relative or another member of the household confirming or reminding of an upcoming medical appointment? Answer: The answer to this question is No it is not against HIPAA regulations to leave appointment information on an answering machine or with a relative. Question # 241: Vitals- I work at a Neurology practice. Do we have to do vitals on every patient. Do we do vitals on all follow ups or could we just do vitals on New patients only? Thanks Answer: HIPAA does not dictate office practices - only the privacy and security of patient information. It is not meant to get in the way of everyday practices. The Vitals information would strictly be information that your practice needs to perform adequate care for the patients. Question # 240: I used to work for several physicians in a obgyn clinic. The doctors had trained a fellow employee to draw blood on patients. This person was not a lisenced phlebotomist. According to all the new Hippa guide lines, Is this legal? Can a person drawn blood under a physicians scope of practice without a lisence? Is this in compliance with Hippa? Answer: This is a medical question not a HIPAA question. HIPPA deals with Privacy & Security. Question # 239: According to the newest release of HIPPA, Is it unHIPPA compliant to have a Patient Sign in sheet? I know of some offices that have a high level of patient income on a daily basis, and a sign in sheet is the only way to keep track of all the patients without losing the personal aspect of customer care. Answer: Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii). Question # 229: I OWN A COPY SERVICE, I AM HAVING A PROBLEM WITH A MEDICAL PROVIDER. THEY WERE SERVED WITH A WORKERS' COMPENSATION SUBPOENA (ISSUED BY THE PATIENT'S ATTORNEY) REQUESTING MEDICAL RECORDS. THE OFFICE MANAGER INFORMED ME THAT A SUBPOENA WAS NOT HIPPA COMPLIANT, THAT I NEEDED AN AUTHORIZATION FROM THE PATIENT, WHICH IS NOT A PROBLEM, BUT ALSO HAVE TO PROVIDE THEM WITH A WRITTEN AUTHORIZATION FROM THE WORKERS' COMPENSATION CARRIER STATING THAT THEY WILL ALLOW THE RECORDS TO BE COPIED. THE OFFICE MANAGER EXPLAINED THAT THIS IS REQUIRED UNDER HIPPA GUIDLINES BECAUSE W/C RECORDS BELONG TO THE W/C CARRIER, NOT THE PATIENT. IS THIS ACCURATE?. Answer: Covered entities are permitted to disclose protected health information for such purposes as authorized by, and to the extent necessary to comply with, workers’ compensation law. See 45 CFR 164.512(l). In addition, the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR 164.512(e). Question # 228: does faxing constituting electronic transfer Answer: Not at this time Question # 226: IS THERE AND HIPAAPS FORM FOR INVOICE TO OUR PATIENTS? AND WHERE IS IT LOCATED AT. Answer: There are no HIPAA invoice requirements. Question # 224: My sister-in-law is having a baby and she is having an ultrasound done and her husband can not be there and she wants me to go with her but they told her that I could not be there because it is a hipaa law but if my sister-in-law says I can be in there is it still not ok? She dosen't want to take the chance of being there alone and them telling her that something is wrong with the baby. So my question is if she wants me in the room with her and I have her permission can I be in there. Thanks for your time. Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h). Question # 223: My husband just recently had gastric bypass surgery and has had alot of complications and while we were in the hospital their were remarks made by some nurses about his weight when they were trying to move him, like wow this is going to be one work out we better get a couple of more nurses to hepl us, then i over heard some nurses in the hall way talking about him and my family, my mother-in-law was very concerned and asked alot of questions to ask about the surgery and what to expect and after she left they were out in the hall just discussing it saying oh what a mamas boy, boys are treated so differently then girls, just going on and on, isnt that breaking a patients confidentiality, did they have the right to discuss it in the hallway or to even discuss it at all , itsnt it their job to answer questions and concerns, and take care of a patient without the rude comments? thank you Answer: This is not directly a HIPAA question, but a question concerning bad manners. My suggestion would be to speak to the supervisor concerning the comments. Question # 222: if person has insurance it expires nov 30 and takes job where new insurance okays before nov 30. are all clams preexiting? Answer: The portability provisions of HIPAA say that no more than 63 days can pass when you do not have coverage in order for the portability (pre-existing conditions) to apply. From your comments it appears no time has passed so pre-existing conditions should be covered,if the coverage is issued. HIPAA applies only if the coverage is acutally issued. Question # 221: Does a ambulance provider have the means to look at transfer documents concering pt. transfers? This is asked due to concerns of being a EMT-P transfering pt's from one hospital to another Answer: The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. Question # 219: I work in an outpatient imaging facility. When our patients come in, we've been giving them the HIPAA notice and asking them to sign a receipt that they've received it. What do we do if a patient refuses to sign the receipt, and argues the notice? Are we legally allowed to refuse treatment to the patient? How are we protected in this instance? Answer: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. Since signing is voluntary, it should be documented that the patient DID receive the notice and the reason for refusal to sign should also be documented. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule Question # 217: When our HR department asks us to process a check to a medical or insurance vendor they are not providing any back up documentation to support the request and they say that due to HIPPA they are not allowed to provide any paperwork to the accounting office and they must keep everything on file in HR. I would like to know what information they can provide to us to justify their request for checks so we will also have a valid audit trail while respecting privacy. Eg:Can they "black out" medical procedure and patient name and still provide us with statement showing balance due and remittance address for payment? Thank You. Answer: The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made Question # 216: My question is about medical records. Let say a medical office sends our office records. If this patient wants a copy of records this other office has sent us, can they be released? Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. Question # 214: My wife and I have just recently gotten pregnant about four months ago. I have been to every Dr. appointment and been in the room during the checkups. My wife has come down with a cold and can hardly talk. I called the OB Dr Office to find out what she can take over the counter for a cold and fever. I explained the situation to the Office Manager and she told me she can't discuss anyting. As the husband and the parent, shouldn't I be able to find out about my own babies condition and what I can do to help my wife? I feel this is completely wrong when you regulate what the father can be told about his own child and how to help his wife in a time when she needs it and can't talk on the phone. Answer: The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Question # 211: I work in a chiropractors office in Illinois. We do file claims electronicly. My questions are 1)Can a patients EOB's from their insurance company be kept in their medical record? When bulk payments or denials are received, copies are made, the patients name is highlighted and placed in the medical record. So in any given chart you can see payments and denials for other patients with the same insurance. Is this in violation of hippa? 2) The chiropractor I work for, on the second visit with the patient after insurance coverage has be verified estimates what their insurance will pay according to their benefits. He comes up with a payment plan for the patient to include everything he will do for the next 6 months or year including office visits, scans and xrays and what his total charges would have been. The patients are then asked to sign a contract to pay up front or in monthly installments. Essentially patients copays and deductibles are being written off. So lets say your treatment plan for 6 months will cost $3000.00 and your insurance will only cover $2000.00 he might ask you to pay $500.00 up front and the remaining $500.00 will be writtn off your account. Isn't this against hippa regulation? Answer: HIPAA does not dictate how a bill is to be paid. This would be an office procedure not directly connected to HIPAA. Question # 210: Is there anything in the HIPPA law that would give an empolyee rights when it comes down to thier empolyer asking for medical notes when the employee is out sick. Can the employer require a medical note? If yes is there anything that wouldn't have to be disclosed in the note? Thank you, Rob Answer: The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose Question # 208: After my GYN prescribed a medication that did not work for me, I phoned the office and spoke with a nurse who told me that they called my insurance company and requested a report of medications I had taken in the past 2 months and proceeded to question me about a sleep aid and cough suppressant prescribed by my PCP about a month ago. They could have asked me personally and I would have given them the same answer but I was shocked to find out they did this. Is this legal? Answer: Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506. Question # 201: I am the Claims/Security Manager for Midway Slots and Simulcast. Part of my responsibility included supervising our in house First Response Team, who are tasked with responding to all guest and employee injuries/illnesses. When a response to an incident is made, a computer generated report is completed which includes name, address, phone no. time and date of the incident, what type of incident and what actions were taken. This report is then sent to me and after review, I forward the reports to our insurance company for determination of liability and coordination of any claim arising from the incident. On occasion, these reports will contain information regarding past medical history, that has been voluntarily provided by the injured/ill guest/employee. Because of this, do we fall under HIPAA regulations and what are our responsibilities for comliance?? Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care provider who transmits any health information in electronic form The Definition of A Health Care Clearinghouse is (in part): A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a Business Associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information. You could be a Business Associate (rather than a covered entity), in which case you need to got to www.hipaaps.com and read the information on Business Associate. Question # 200: We are RDTF company we did nerve conduction test on the patient last year in june, now we are asked for the progress note for the patient, but the medical office didn't want to release any information they asked for the form. Can you tell me what kind of form do we need when you asked progress note for the patient for the test which you did last year. Thanks for your help. Answer: Without knowing more about the situation, I am going try to interpret your question. The medical office may be assuming that you are a Business Associate, however, The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. 45 CFR 164.506 states "(2) A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payment, or health care operations, if: (i) The covered health care provider has an indirect treatment relationship with the individual; or (ii) The covered health care provider created or received the protected health information in the course of providing health care to an individual who is an inmate. (3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations: 45 CFR 14.501 defines treatment as " Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." I hope this answers your question. Question # 199: If a patient refuses to sign the consent of treatment form because she does not want us to release the study done to her insurance company but at the same time wants us to bill the insurance, my question would be are are we compliant by refusing her study or asking her to pay for her study up front and letting her bill the insurance herself? thanks Answer: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. Question # 198: I work for an oral surgeon and the staff is not sure about some thing. Are we allowed to call a patients referring dentist to get information such as name,address,phone,birth date,social security number, insurance info and reason for referral. hope you help. thank you. Answer: Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506. Question # 196: Is it a violation of HIPAA to weigh and take a patient's vitals in front of another patient? This happened to me at my Dr's office last week and made me feel really uncomfortable. Answer: This would likely be classed as an incidental disclosure. It should probably be done more privately as it is part of your health information. You should speak to the doctor about feeling uncomfortable in the situation. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards ("best effort") to limit incidental uses or disclosures. See 45 CFR 164.530(c)(2). Question # 195: In regards to HIPPA, what are the affects to FMLA? For example, when an employee needs to supply a doctor's note to cover injury/illness. Thank you Answer: Records and documents relating to medical certifications, recertifications or medical histories of employees or employees' family members, created for purposes of FMLA, shall be maintained as confidential medical records in separate files/records from the usual personnel files, and if ADA is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements (see 29 CFR Sec. 1630.14(c)(1)), except that: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and (3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request. Question # 194: Where can I find HIPPA guidelines that affect the way the Medical coder does his or her job? Answer: If you go to the website at: http://cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem11 you can downlaod a PDF file with the final regs. Question # 193: In the event a business associate does not carry the credit card requested to purchase the hippa software, what other alternate payment method do you accept? Answer: We are in the process of getting set up to accept checks on HIPAAps.com. But for now, a check or money order may be sent to: HIPAAps, C/O D. Begley, Pres., 5115 Excelsior Blvd., St. Louis Park, MN 55416. With the check/MO, send information such as: Name, address, and phone number of the Business and the name of a contact person and an email address, plus any details that are pertinent so we can look you up on the web site to be sure you are set up correctly. Question # 192: How does the HIPAA privacy law affect FMLA? Answer: FMLA (Family and Medical Leave Act) is a Labor Law. The only overlap between the two is that HIPAA deals with the privacy of medical records, which may be needed in the process of applying for leave under FMLA. Question # 191: If an employer has an employee on workers compensation who is going to therapy for a work related injury, is the employer able to call the therapy department and change the therapy appointment schedule that has been set up for the employee. Answer: I really can't answer this question. Why would the employer want to change the appointment in the first place? Is the employee still on the job? Question # 190: THERE HAS BEEN SOME CONFUSION REGARDING THE BUSINESS ASSOCIATE AGREEMENTS LATELY.WHILE I UNDERSTAND THAT DOCTORS ARE NOT 100% OF THE TIME BUSINESS ASSOCIATES,I SEE ON THIS WEBSITE THAT PRACTICE MANAGERS ARE NAMED AS BUSINESS ASSOCIATES.ALTHOUGH "OVER-KILL" I MAILED THESE AGREEMENTS TO THE INDIVIDUAL DOCTORS/PRACTICES AND NOW THEY DECLINE TO RETURN THE AGREEMENTS. PLEASE ADVISE. I WANT TO BE SURE THAT THESE OTHER PRCATICES ARE COMPLYING AS WE ARE. THANK YOU!!! Answer: A Business Associate, in general, is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use and disclosure of individually identifiable health information. Business Associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business Associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Persons or organizations are not considered business associates if their functions or services do not involve the use and disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity. However, The Privacy Rule permits a covered entity to use and disclose protected health information for treatment, payment, or health care operations. For treatment purposes, the Rule generally allows protected health information to be shared without restriction. The definition of "treatment" incorporates the necessary interaction of more than one entity. In particular, the definition of "treatment" includes the coordination and management of health care among health care providers or by a health care provider with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another. As a result, covered entities are permitted to disclose protected health information for treatment purposes regardless of to whom the disclosure is made, as well as to disclose protected health information for the treatment activities of another health care provider. Question # 189: Do workmens compensations companies fall into the covered entities of HIPAA? I was informed by an employee at NationWide/Workman Comp. Div. that they are not required to follow HIPPA quide lines. As far as I can tell, from reading who is effected, they could be required to follow HIPPA rules. Answer: The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs: - Coverage only for accident, or disability income insurance, or any combination thereof. - Coverage issued as a supplement to liability insurance. - Liability insurance, including general liability insurance and automobile liability insurance. - Workers’ compensation or similar insurance. - Automobile medical payment insurance. - Credit-only insurance. - Coverage for on-site medical clinics - Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits. Question # 188: My employer is requiring me to have one of my family members doctor fill out FMLA paperwork in order to approve my time off to care for this person. Is this something that would fall under HIPPA? Thanks. Answer: Employers are not covered entities under HIPAA. However, Your employer would need to know the reason you are taking time off work to care for this individual. Question # 187: Will not give my name.. But there is an entity (Tioga Nursing Facility in Waverly New York) that is under the GHS (Guthrie Healthcare Facility from Sayre Pa), that are under the same HIPPA regulations and the TNF is not following the HIPPA regulations.. There is swearing in front of the residents, sexual harrassment, breach of confidentiality and just plain rude behavior.. The residents can not leave the area as they are placed around the nurses station and the nurses give report when everyone can hear.. Answer: Is it possible that you could talk to the TNF Security Officer and explain what you see happening? The Security Officer's job is to correct this kind of a situation. Maybe he/she doesn't realize thses things are happening. Question # 186: We deal with an outside finance company for our dental patients that provide financing for treatment done in our office. Do the HIPAA laws place any restrictions for a person who applies for this credit to apply towards treatment of a spouse. For example, information on the spouse who is receiving the treatment will need to be available to the spouse who has applied for the credit. The slip that needs to be signed has not only financial information on it, but also the treatment that was done. Thank you. Answer: The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. Question # 185: We notify patients, when they are in the office, of appointments that are needed for other members of their family. With the new Hipaa laws, are we now limited to disclosing only children's information or can we inform a husband that his wife is overdue for a cleaning? Thank you. Answer: The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 184: Is it still permissable under HIPAA regulations to use deidentified data that has been previously collected for clinical purposes as research data? (After obtaining IRB approval, of course). Or, is it necessary for the patient's to have signed a consent beforehand? Answer: Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). A web site with more information on research rules, etc. can be found at: http://privacyruleandresearch.nih.gov/pr_02.asp Question # 182: I WORK AT AN ELDERLY APARTMENT COMPLEX AND MY RESIDENTS PUT OBITUARIES UP ON THE BOARD TO NOTIFY OTHERS, OR THEY MAY PUT A NOTICE UP LETTING OTHER RESIDENTS KNOW THAT A FELLOW RESIDENT IS IN THE HOSPITAL. HOW MIGHT THIS AFFECT US. Answer: I'm not sure if this answers your question, but I hope it helps. The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure. Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. See 45 CFR 164.502(a)(1)(iii). In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances. However, each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances. Question # 181: I AM A MANAGER OF AN ELDERLY APARTMENT COMPLEX THAT FOLLOWS HUD AND LIHTC GUIDELINES. WE ARE REQUIRED TO VERIFY BY 3RD PARTY MEDICAL EXPENSES, LIFE INSURANCE POLICIES ETC. HOW WILL HIPPA AFFECT THIS PROCESS? Answer: I'm not sure what all you are wanting information on. However, maybe this will answer some of your questions. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of "payment" at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. Question # 180: MY EMPLOYER WANTS TO KNOW WHAT THE PROCEDURE FOR GIVING INFORMATION OVER THE PHONE IS AND WHAT HIPAA ALLOWS. FOR EXAMPLE : OUR OFFICE RECEIVES CALLS ALL THE TIME FROM PATIENTS AND THEIR SPOUSE'S AND CHILDREN STATING THAT THE PATIENT DOESN'T OWE ANY MONEY AND THAT THE PATIENT DIDN'T SEE THAT DOCTOR ON THAT DAY.I NEED TO KNOW WHAT WE ARE ALLOWED TO TELL THE PATIENT THEIR HUSBAND OR WIFE AND CHILDREN.ARE WE ALLOWED TO SAY OR VERIFY THAT THE PATIENT DID SEE THE DOCTOR AND WHAT THE BALANCE IS?CAN WE GIVE INFORMATION TO OTHER FAMILY MEMBERS? PLEASE ADVISE THANKS Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 178: i wanted to know if i took my perscription and dropped it off and when i picked it up and after i took them i started feeling sick what should i do? Answer: This is not a HIPAA question. Sorry. Question # 177: WHO IS THE PRESIDENT OF HIPPA AND IN WHAT YEAR DID IT GO INTO EFFECT. Answer: The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 61 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. HIPAA reuired the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privact legislation within these years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHA developed a proposed rule and released it for public comment on November 3,1999. The Department received over 52,000 public comments. The final regulation, the Privacy Rule was published December 2, 2000. In March 2003, the Department proposed and released for public comment modifications to the Privacy Rule. The Department received over 11,000 comments. The final modifications were published in final form on August 14, 2002. All covered entities, except "small health plans" must be compliant with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply. Question # 175: My minor daughter (13) recently went to the orthadontist and I was appauled when the dentist refused me to be in the room with her. Was he correct is asking me to leave? Does and can my daughter need to sign a "consent form?" Is this part of the HIPPA bill, not to allow parental knowledge of their childrens medical information? Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives. Question # 173: How do you handle phone calls,Voicemail or answering machines, and need to leave a message re: an appointment or surgery for that pt? Answer: Please see the answer to Questions #119. I think it will give you your answer. Thanks. Question # 172: How do I know if our office will be affected by HIPAA? We don't submit claims electronically, and we have 9 employees. with The doctors its 12. Please let me know Thank you, eileen Answer: HIPAA applies to (1)health plans; (2)health care clearing houses; and (3)health care providers, regardless of size, who electronically transmits health information in connection with certain transactions. "The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf." If none of these pertain to your office and you are still not sure if you are a covered entity, go to the website http://www.hipaaps.com and look at the description under 'What is HIPAA' and 'Who if affected?' Hope this helps. Question # 171: when a patient comes in is it allowable at the front desk to ask if their birthdate is such as such. address is correct, marital status and who their employer is. JUDY Answer: What do you need the information for? Are you working in a medical office? If you are gathering information for a doctor and talking to the patient where it is reasonable that the information is confidential, yes, you can collect information that will be helpful to the doctor who will be providing health or medical care. Question # 169: where can I find PHI report form Thank you Answer: What kind of PHI report form are you looking for? If you are a member of HIPAAps.com, check the Forms section and see if the form you need is there. If it isn't, email me back with more information. Question # 168: who pays the penalties the employer or the violator? Answer: Penalties for what? The covered entity is ultimately responsible when a violation occurs. However, how he handles the person who constituted the violation is at his discretion. Does this answer your question? Question # 167: Hello, I am a massage practitioner in MD. I do NOT take insurance, credit cards, or do any processing by comupter. Any clients who request their files must do so at the time of their visit. All clients recieve hard copies only, I do not do any transfers over the web. Does HIPAA apply to me? THank you, Karen P.S. If you have already answered my first email please disreguard this one. Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. If none of the above fits your description, you may not be a covered entity and you probably only keep your client information secure as a courtesy to your clients. Question # 166: I work at a Hospital and release infomation to life and health insurance company's. What is the verbage that I need to see in the authorizations I receive. What must be in there. Can you send me an acceptable outline or copy of an authorization you created that I can just put are name on? Please help asap or call me 619 299-7513 or fax me a copy of an example. 619 229-7539. Thank you very much. Adrina Morton Answer: Adrina, Is the information you release for claims payment? HIPAA says "A covered entity may use and disclose PHI for its own treatment, payment, or health care operations activities." and "Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment to be reimbursed for the provision of health care to an individual." Obtaining "consent" (written permission from individuals to use and disclose their PHI for treatment, payment, and health care operations (TPO)) is optional under the Privacy Rule for all covered entities. The content of the consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. I hope I have interpreted your question correctly and that this answers your question. Question # 164: In the manual, how do I edit and or delter items that do not pertain to our company? Thank you, Kelly Young Reality Systems 636-498-1805 Answer: As you go through the process of setting up the company on HIPAAps.com, and you go through the library, you can choose the documents you want for your manual. Once all documents are chosen, you can view, edit and print each document using the document manager. Question # 163: I recently took my 17 year old son to a specialist who ordered many tests ,and instructed me to call his office in two weeks to get the results of these tests. When I called the office, I spoke to a nurse, told her who I was and that my son was underage and I had been instructed to call the office for results of tests. I was told that I was not able to receive any information on my son's tests unless I had "power of attorney". Is this correct, when the child is a minor Answer: The Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information. You should not need a 'Power of Attorney' - only proof of your relationship with your son and that you are his personal representative. Question # 162: A worker in a call center answers a call, the call requires the worker to ask for health information. The call is recorded, is the call recording itself covered? The recordings are digital files. Answer: Is the call center a covered entity? I'm not sure what you are asking. Are you asking if the recording is covered by HIPAA? As with any health information, the information on the recordings needs to be protected from unauthorized personnel. Question # 161: My daughter is 20 years old. She is currently covered under my medical insurance w/Cobra coverage. She has been on her job almost 2 months and signed up for their group health insurance, which will go into effect May 1, 2003. I was going to drop her from Cobra coverage the end of April, but am not sure this is the best thing to do. My situation is this...my daughter has been having alot of pain and discomfort in her right knee (had surgery on same knee 6 years ago). She went to the doctor (4/25/03) and has been referred to an orthopeadic doctor for follow-up. Her appointment with the orthopeadic is May 7, 2003. Question #1...Will the new insurance pick up expenses where the cobra insurance ends, or should the cobra insurance be extended until the knee problem is resolved? Question #2...The new insurance company (UnitedHealth) told me that this would be considered a "pre-existing condition" unless the orthopeadic doctor's diagnosis was different from the original diagnosis. Is this correct? Answer: I really can't answer this question. You need to ask these questions of the Insurance agent with whom you have coverage. Question # 160: Do you cover other areas that are not health related? I am inquiring about Motor Vehicle Records. Can an Insurance agency get MVR's on one of their customers employees and release that information to the customer, or does the customer have to get the information? If you can not answer this question can you please direct me to someone that can answer this. Thank you for your assistance. Answer: No, this is not a HIPAA question. Hipaa does not cover Motor Vehicle records. I'm sorry but I do not know the answer to your question. Question # 159: I am a patient care volunteer with our local Hospice Organization. Our duties involve going into a patients home and sitting with them for a few hours at a time. We were always given a face sheet before we went to a new patient which told us a diagnosis. This also gave us information on whether or not the patient had a communicable disease like HIV, TB, or Hepatitis that ran concurrently with the primary diagnosis. Now we are not given any information. Don't we fall under a right to know? Under certain circumstances a volunteer might not want to be exposed to one of these diseases. Answer: You are considered part of the workforce of the Hospice Organization even though you are a volunteer. The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information. The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care. HIPPA was not meant to inhibit caregivers from having information they need to care for the patient, and as a part of the workforce, you have the same responsibilities for the privacy of the PHI as the covered entity. Question # 158: I currently have Horizon Blue Cross Blue Shield of New Jersey. I'm upset that they have they have my SSN number printed on the card. If I was to loose my wallet then my SSN number is exposed. Do you know if this is covered under HIPAA? Thanks Jim Answer: In this case, your SSN is your insurance identification number. No, this is not covered by HIPAA. However, when someone comes up with another means of identification, insurance companies will probably not us SSN's for ID. It is rather complicated at this point. Question # 157: I work at a 911 dispatch center. We use voice paging, and also some agencies have pagers where the initial information is sent to them. Address, nature of call, and a brief text like "25 y/o male difficulty breathing." Then once the units go enroute to the call they get updated information, such as, repeat of address and "25 y/o difficulty breathing, has history of asthma, is currently conscious and breathing." This is our centers policy, and this is how the fire departments and ambulances prefer their information. How does this effect us (and the responders)? What can (and can't) we air in these 911 situations? Thank you! Answer: Please see the answer to Question #68. If you are not a covered entity, you may be considered a Business Associate of your local medical institutions. Do you use actual names or just minimum necessary information during your broadcast? Read the answer to Question #68. In the meantime, I will do more research on this question. Thanks. Question # 156: I am a practicing massage therapist in MD. I do not do ANYTHING electronically. Any clients who want a copy of their files gets a hard copy and must request it at the time of their appointment. I take no insurance or credit cards. Am I still required to have the HIPAA package? Answer: Please see the answer to Question #152. I think this will also answer your question. Thanks. Question # 155: I work in research and would like clarification on who is responsible for the HIPPA Consent for research subjects. We are receiving a lot of changes to our HIPPA consent from sponsor companies, and have concerns with the wording. From what I have read and understand is that they are not a covered enities when it comes to a research study. It is the Principal Investigator and site's responsibilty with the confidentiality of the patient's data that is being collected and used. That the sponsor is covered under the Investigator. Answer: For Health Research, a covered entity can use or disclose PHI for research without authorization under certain conditions, including (1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; (2) for activities preparatory to research; and (3) for research on a decedent's information. The Privacy Rule permits covered entities to disclose PHI, without authorization, to public health authorities or other entities who are legally authorized to receive such reports for the purpose of preventing or controlling disease or injury; reporting vital events (e.g. births or deaths); conducting public health surveillance, investigations, or interventions; reporting child abuse and neglect; and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological, and medical devices [45 CFR 164.512(b)]. I hope this helps. Without knowing the type of research you are doing, I have to give you a general description of the law. Question # 154: My Fiance' and father of my children had recently been murdered. I am the Benefiary of his life insurance. The Insurance Co. requires Me to send in his hospital reports. The hospital tell me I need the next of Kin to sign an authorization. I can not obtain this, he was not very close with his relatives before his dealth so it difficult for me to get this. What could I do to obtain these records. Everything was in my name and my fiance's name. bank accounts, bills for which we did reside together. I am at a standstill. Answer: This is an unfortunate situation and I wish I could help you, but this is a legal question and I do not have the expertise to answer it. Please see an attorney and explain the situation. Question # 152: We have a massage therapy school and clinic that is open to the public. We do handle client files but do not work with billing or insurance. All services are offered on a cash basis. Do we need to be compliant with HIPAA? Answer: A covered entities are: "Health plans; health-care clearing houses; and health care providers who transmit information in electronic form in connection with certain transactions." If none of these descriptions fit you, chances are you are not a covered entity and would not, by law, need to be compliant with HIPAA. However, you might study the HIPAA rules pertaining to client Protected Health Information (PHI) and, for your protection, apply those rules. Question # 151: We are an opthamology office that dispenses contact lenses to patients, the question is: Do we need a signed release form for the patients relatives or friends to pick them up if the patient themselves is unable? Answer: Are you a covered entity? It would be prudent to have a signed release unless you are positive the lenses will be going to the person they were meant for. At least document who picked the lenses up and place the documentation in the patient's file. Question # 149: Can the spouse of a patient make an appointment for the patient at the patient's physician's office and can the spouse be given the information pertaining to date, time and any pre-appointment information necessary to be done before said appointment? Also, can a signed consent form be put in one's medical record stating that the spouse has permission to receive any information that the patient has a right to? What are the requirements to make this legal? Thanks. Answer: HIPAA does not eliminate common sense. You husband may have to sign an authorization or at least talk with the clinic, but this should not be an issue. The clinic probably has an authorization to use for this purpose. If not, we offer a library of sample forms on our web site at HIPAAps.com for our members. Question # 148: Can a immediate family member obtain medical records, when a patient has died suddenly. Answer: The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative. First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative. Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representative’s authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure. Question # 147: When our family members or anyone, allowed to have or view medical records. Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives. Question # 146: When "testing" a patient, should there be some way to protect the patient's identity? Meaning, by instead of closing a door then do a test, can there be a drape of some sort to block the patient from being seen as passer-byers walk by? Answer: I'm not sure what kind of testing you are doing, but you have the idea on the main point - the patient's privacy. What ever makes sense as long the patient's privacy is protected. Question # 145: I recently called my health insurance company to request information on outstanding claims for my son that I submitted. The claims have been in review for many months now, and since the time that the claims were filed my son turned 18. My son is currantly not available for me to contact. They informed me when I called and asked questions concerning these prior claims that my son has turned 18 and so they cannot give out any claim information to his mother, even though I, his mother submitted the claims before he was 18 and the insurance company took many months to review them. I then talked to a manager who said the same thing, and then changed his mind and said if my husband signed a release that they could release info to me his wife for my son that they could. This sounds crazy. I also asked for a copy of these so called privacy laws concerning this situation and he claimed that he couldnt fax those laws to me. Now he has called me back and he's not sure if he can disclose any information on my sons claims from before he turned 18 without his consent, but is trying to find out. Secondly from reading some other peoples questions, it looks like the company should have sent out to all their clients information and a form to sign stating that they understand these new laws. Nothing has ever been sent to us from this insurance company. Does this violate the law and if so who do I report this to. Thank you. Answer: The individual who is the subject of the protected health information can exercise all rights granted by the HIPAA Privacy Rule with respect to all protected health information about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law. Generally, the parent would no longer be the personal representative of his or her child once the child reaches the age of majority or becomes emancipated, and therefore, would no longer control the health information about his or her child. Of course, any individual can have a personal representative – which may include a parent – who can exercise rights on his or her behalf. Question # 144: As a network administrator, if you go in and design or work on a network for a company that is under the HIPAA standard, is there anything that needs to be done for me to work on that network? If so, could you send me all the info? Answer: Working on network computers that contain Protected Health Information (PHI) makes you a Business Associate. You need to have a BA contract with the company(ies). The HIPAAps.com website will give you the information you need and has all the information you need to become HIPAA compliant. Thanks for your question. Question # 143: It is past the HIPPA deadline date and the Orthodontist I work for is not HIPAA compliant in any way. As a matter of fact he thinks it is nothing but a joke. We have tried to get him to get with the program, but no luck. For him, rules are for other people. I'm not sure what to do, any suggestions?? Answer: Direct him to our What is HIPAA? page. You could also print out that page, highlighting the paragraphs that describe the penalties that can be imposed for non-compliance, and leave it on his desk. Depending on the type(s) of violations, he could be hit with fines, or even a prison term. (How does he look in an orange jumpsuit?) Adapted from the glossary: [HIPAA] also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000. The penalties for non-compliance with the transactions and code sets is $100 per occurance up to a maxmimum of $25,000 per standard per year. The civil penalties for covered entities that violate the privacy standards are $100 PER incident, PER year, PER standard violated, to a maximum of $25,000 per person (patient). The federal criminal penalties for violation of privacy are: Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses. Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. I don't think he'd find it much of a "joke" if he were investigated and started seeing how big the fine was getting! Simply not having the patient files in a secure place would be fined at $100 per file. Not so bad, until you realize you have (for example) 500 patient files- that's $50,000! If he doesn't have a Notice of Privacy Practices in place, that's $100 per patient... and the fine's up to $100,000. Hopefully you'll be able to convince your boss that HIPAA is serious business, before he finds out the hard way! Question # 142: If you are the responsible party are you allowed to call and find out about the charges that is applied to your spouse, and children? what if you are not the resposible party, but are listed under the policy are you allowed to call and ask about the charges that was applied to your spouses acct? if you are under 18 years of age, does your parent have the right to call about the charges to your acct under the hippa law. Answer: If you are legally eligible to receive this information and can document that and your identity, the clinic should provide you the information. If you can't, then the clinic cannot release it to you. Under HIPAA, the clinic has a responsibility to protect the privacy of their patients and must follow the rules. Question # 141: Is a sign in sheet o.k.? If a family member or friend calls looking for a patient, can we pass the phone to the patient? Answer: Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii). If you pass the phone to the patient, it would be up to the patient to keep any medical information to a minimum. Question # 140: I manage a 911 answering center who dispatches fire depts. and ambulances. Would our operation fall under "covered entity" as we broadcast over the air the call type and location of medical emergencies? Often times we will use the callers name or residence name and the type of emergency, (ie: diabtic emergency, Smith residence, 123 Main St etc.) If we were to refrain from saying the name of the caller, would we then fall into compliance? We also fax time response data to hospitals after ambulances arrive so that they can complete their run forms. This information icludes, name, time of dispatch, arrival etc. Would these faxes violate the regulations? If they were faxed to a secured room would that make a diference? Thank You. Answer: The HIPAA Privacy Rule covers "(1) Health Plans; (2) Health care clearinghouses; and (3) Health care providers who conduct certain financial and administrative transactions electronically." It appears that you are collecting Protected Health Information(PHI) on a patient and that you are using electronic transactions, which would make you a covered entity. Therefore, you would need to be HIPAA compliant. The easiest way to become compliant is to go to www.hipaaps.com. All the forms, procedures and information is on that site plus procedures to train all employees. And, yes, the fax machine should be located in a secured room where only the people that need the information would see it. Question # 139: Are there any identifying stickers, dots, or other methods we can use for the front of a patient's chart to indicate a health alert other than a sticker naming the health alert. Currently, we are putting the health alert inside the pocket chart so that it is not visible from the outside; however, there has been an incident where the information was missed. Is it within the HIPPA policy to put a 'colored' sticker alerting the staff that there are health alerts to be alerted to. Thank you. Answer: As far as we can tell, the use of (for example) an allergy sticker on the folder probably falls under the "reasonable use" provisions of the law. "Reasonable use" includes things like calling a patient's first name in the waiting room to let them know the doctor is ready to see them; while it does violate absolute privacy to a small degree, it's a necessary part of clinic operations. The acceptability of the sticker might depend on how specific it is, how large it is, whether other patients are likely to see it, etc. If it just says "allergies" or "drug allergies", it's probably fine; if it's more specific, and visible (easily read) to other patients, that could be an issue. The important thing is for your office to document their decision, either way. If you would like to continue using it (and it does seem a reasonable thing to do in a patient care situation), you should document the decision and explain why you think it would NOT be a violation to do so. Might also be good to put in a brief explanation of why they have chosen to use the sticker- studies show fewer mis-prescribed drugs, or whatever the deciding factor was for them. (With HIPAA, it's generally better to overdocument than underdocument!) If, at a later time, you do find out it is a violation, then they can change the procedure and remove the stickers, or go to a variation on the theme, such as using a blank, color-coded tag on the outside of the folder, with the allergy warning inside. (Obviously, documenting the change in policy, date undertaken, and date completed.) Having documented the original plan and reasoning for it should theoretically be enough to protect them from any possible HIPAA fines, as they had obviously made a good-faith effort to comply and thought out the decision carefully beforehand. Question # 138: What are the 19 HIPAA Identifiable Health Information fields? Answer: This information is available in our glossary, under "Protected Health Information". I have included the definition below. Protected Health Information (PHI) Individually identifiable health information: Except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or Transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and Records described at 20 U.S.C. 1232g(a)(4)(B)(iv). PHI includes references to not only the patient, but also their relatives, employers, or household members. The items that constitute PHI: Name Address Phone Numbers Fax Number Dates (birth, death, admission, discharge, etc.) Social Security Number E-mail Address Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate or License Numbers Vehicle Identifiers and Serial Numbers, including license plate numbers Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers, including finger and voice prints Full Face Photographic Images and any comparable images Any other unique identifying number, characteristic, or code Patient's Medical History Exclusion for Employment Records The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. Question # 137: I would like to know whether HIPPA requires healthcare agencies to disclose information without an authorization to parents and/or guardians when the request is made via phone or in person without reviewing the record? Is an Authorization to Release Health Information valid when a person's name and their agency is listed on the form and the street address is listed on the address field? Answer: I'm not real clear as to what you are asking, but let me give it a try. HIPAA does not require disclosure it requires protection. A healthcare clinic has a responsibility to not release protected health information without an authorization. And it should at least confirm the identity and legal authority of the person requesting that information. A healthcare clinic can require their own specific authorization. I am not sure what you are asking about the form otherwise. Question # 136: How long should we keep patient information? Does it depend on what kind of information it is? Answer: Everything I've seen in the HIPAA privacy and security regulations has referred to keeping data for six years after the last use. So far as I've been able to find, it's the same for all materials. The specific references are to patients being able to request information for up to six years after their last visit. References: 45 CFR 164.528 Accounting of disclosures of protected health information. Question # 135: I am the medical unit manager for telephonic workers Compensation Case Managers. We by state law have to have a Form 25C completed by the injured workers to access their medical information. Now we are being told by many medical groups that they can not give us any information even a next appointment date due to HIPPA. Is this correct? Are we not exempt? Answer: The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A). For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker. The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization. Question # 134: I recently took my 4 year old daughter to the dentist for the first time. They told me that I could not go back with my daughter during her care because of HIPPA and OHSA. I am shocked to hear that from several staff members that it was because of HIPPA. I think it should be against the law to allow a minor child to receive medical/dental care without the parent being there to monitor the treatment. How does HIPPA stand on that issue? Was the Dentist office incorrect in telling me that information? Needless to say, my family will not go back to that office. Answer: HIPAA does not address this situation at all. Sorry. Question # 133: I work at a dental office. We do not have computors ,we do everything by hand do we have to follow hippa laws. Answer: The HIPAA Privacy Rule covers health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities are bound by the new privacy standards even if they contract with others - called business associates - to perform some of these essential functions. If none of your transactions are done electronically either by your office or by a business associate, you may not be a covered entity. However, very shortly, as I understand it, Medicare will not accept any billing other than electronically. It is just a matter of time that insurance companies will follow suit. To find out for sure if you are a covered entity or not, take the test on HIPAAps.com. Then check out how easily you can become compliant through that web site. It is better to become compliant before you have a complaint. Question # 132: Im went to my Dr.the other day and they said they HAD to make a photocopy of my drivers license or they would not see me.I said no way.You can look at it and verify its me.I won for the moment but next time they would not see me.I told them any office person or night cleaning person could take it from my file and use it for identity theft which is the number one crime in America today!Every law enforcement dept. will tell you not to let anyone photocopy your license for any reason.Some people don't even have a license for many reasons.Can you shed some light on this?Thanks in advance! Scott Russell Answer: Apparently this office has adopted this as part of their HIPAA policies and procedures by requesting confirmation of your identity. The request for a copy for their file is to document your identity. I could say that HIPAA requires this office to protect ALL patient data and if your privacy is violated the office is liable. That probably doesn't satisfy you. Why not ask if there is some other form of identification that you can use instead of your license. Question # 131: i am the office manager at a dental office. i have patients that need to premedicate before appointments. my question to you is 1. by law, who may i leave the reminder to premedicate with if i do not speak to the patient directly? 2. can my office write up a consent form that the patient may sign indicating who i may leave a premedicate reminder with according to the patient? Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Having the patient sign a consent form indicating who he/she would prefer you leave a message with is a good idea also. Question # 130: Is there a price bracket for practices to charge for copying your chart? We have been requesting a particular practice to release copies of my wife's file for months and they will not cooperate. Today we went in and asked to fill out another authorization, the receptionist stated where she was only releasing the records to me and not to another doctor she had to charge me $15.00 for coping and then an extra $0.50 for each page she copied (the way she said it sounded like she said $15.50 per page, we are not really sure which way she meant). We stated no way. She said if we had it copied and sent to another doctor it would have been free, though. Is that legal? Answer: The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information. See 45 CFR 164.524. The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. Prices are set by the covered entity and not by HIPAA. Question # 129: Can non-profit organizations recieve any government relief fund to assist in the transition? Answer: I cannot answer this question. You will need to check with the government relief agencies for an answer. Sorry. Are you a covered entity? Question # 128: When changing from one doctor to another, I was told by my old doctor (Dr. B) that she could not release the full contents of my file to my new doctor (Dr. A), because some of it was created by another doctor (Dr. C) I saw before going to Dr. B. Dr. C says they no longer have my file. Dr. A needs to know my full history; is it true that Dr. B can't release this information? Answer: According to the Guidance Document on HIPAA privacy and security, produced by the US Department of Health and Human Services, Office for Civil Rights (the organization in charge of enforcing the HIPAA privacy and security regulations): "the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. We have a copy of that section of the guidance document online at: http://www.hipaaps.com/dec2002/04-minimumnecessary.html; this particular item is the 5th question from the bottom. (The full guidance document can be found in many places, including http://www.hipaaps.com/dec2002/01-Introduction.html and http://www.hhs.gov/ocr/hipaa/privacy.html.) The legal definition of "treatment" can be found at 45 CFR 164.501: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." It sounds like your old doctor's office has either misunderstood this portion of the law, or is erring on the side of being overly cautious. If they're still giving you trouble, it might help to print out the Minimum Necessary portion of the guidance document and highlight the question specifically dealing with this issue. You may want to include the URL for the official copy of the document, http://www.hhs.gov/ocr/hipaa/privacy.html. Question # 127: with regards to state subpoenas issued by attorney's, must a custodian of records comply with the subpoena as long as proper notice was sent to patient's attorney (notice to consumer), and not require defense counsel to obtain a signed authorization from the patient? Please clarify!! Answer: That is a great question, but it calls for a legal interpretation which we can't give. You need to check with your legal counsel. Or you could also refer to the site www.HIPAAps.com Legislature Library for help; 45CFR164.512 sets out the requirements and exceptions for disclosure of records when you do not have the patients authorization. I hope this helps. Question # 126: When patient information is being stored on a network server, what security measures are required by law to guard against hackers getting onto the network and stealing confidential patient information? What types of patient oriented facilities are held to this standard; Nursing homes, hospitals, insurance companies, etc.? Answer: As required by Congress in HIPAA the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who conduct certain financial and administrative transactions electronically. These entities are bound by the new privacy standards even if they contract with others (called business associates) to perform some of the essential functions. When the information is being stored on a network server, the security measures are whatever make sense to keep the information protected from any outside source. The law says the information must be protected, it does not dictate how. The best protection is a good firewall, passwords, etc. I hope this helps. Question # 125: My husband has physical custody of his 13 year old son, who is being treated with Orthodontics/braces. We have a contract account set up with the Ortho office. The biological mother is required by Court Order to pay on this child. When my husband calls the Orthodontist office to ask if they have recieved payment or if the mother has set up payment arrangments, the Office says that they cannot give my husband, the Custodial Parent that information because of the new HIPAA law. Is this correct? Please elaborate. thank you, Laurie Answer: If the child's mother does not pay the bill, is the father liable? HIPAA says: "The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity, to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information." Question # 124: I forgot to include the question about discussing patient information earlier. If the patient is in a group home, can you discuss the patient's information with the home staff (manager, medical coordinator, provider), or does it have to be the legal guardian? Thanks again. Answer: What information? If this is information you need to care for the patient properly and if you do so in a discrete manner, you would be within Hipaa regulations. However, the guardian and/or the personal representative should also be included in these discussions. Question # 123: when i call in for work like when i have the flu or something else. should the boss go telling everyone that your off sick and whats wrong with you? and then go around making jokes about you and your illness while your off sick ?? thank you tracy Answer: This is really an HR problem. If your boss got his information from the HR department, it could be considered a violation. Your boss needs to review the HIPAA regulations such as those on HIPAAps.com. Question # 122: I work for a psychiatrist office. most of our clientel here are developmentally disabled and in group homes. My question is: 1. Can the staff (either medical coordination, home manager, or provider) sign for the patient, if they are not able to sign for themselves since the guardian never comes in or is impossible to be found? 2. If the home staff is unable to sign on the patient's behalf, can we make a copy of the guardianship paper, attach it to the form and fill in the bottom half of the form stating they are mentally incompetent? Thanks hope to hear from you soon. Answer: This sounds like a legal problem as opposed to a HIPAA problem. Each patient should have a legal personal representative who is responsible for authorizing their care if they are unable to do so for themselves. Question # 121: I work for a group of specialists and we have a HIPAA privacy officer. She has come up with multiple forms to have patients sign and recently even a graph for all employees to sign if they have had access to the chart. I feel as though we, as employees of the practice, do not need to sign each time we touch the chart for any reason. Is this really part of the law? Answer: Each covered entity needs to have its individual set of rules for becoming and staying HIPAA compliant. These are the safety rules set up by the group and not directly dictated by the HIPAA laws. If the group feels this is important then the rules need to be followed. Question # 119: I work in a phsicians office and I am on the telephone constantly changing appointments. I am really concerned when I call the patients house and someone other than the patient answers and they ask who I am, and where I am calling from. Am I allowed to give them the name of our practice, and why I am calling the patient? Thank You Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 118: About a month ago my son had some lab work done at a local hospital ordered by his pediatrician. I asked for his lab result and was given some vague answers that I still had answers about. I called the office back and asked them to fax the results to his oncologists office in another city, which they did. I called his primary doctors office back again and asked for a copy of his labs. I was told they didn't have a copy of it which i new was not true since they had already faxed a copy to someone else. I again asked for a copy of the results. This time I was told I had to sign a release at the hospital to find out my child's results. I had already signed a release at the time of the lab so i didn't know why i had to do it again to get the results. i called the 888 number on the HIPPA website. the person i spoke to agreed that i should have access to my son's record. i called the office and asked again and they released my son as a patient after almost 4 years apparently because i questioned this. not only is this unfair to me, but cruel to my son. if they can release info to our insurance company and fax records with only verbal consent, how can they refuse to release lab results to a three year old's mother? Answer: The Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information. Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child. I hope this helps answer your questions. Question # 117: I do not know if this falls under HIPPA or not so here goes. I have a relative that is being taken care of by a family member who aslo has POA. They have 24 hour help and have been doing this care for almost a year. At this time the relative needs to be placed in a long term care facility due to increased confusion, safety, and the phsycial and mental health of the care givers. Here is the problem when the relative is ready to be transported to the facility there seems to be no reason to place them in a long term facility because the confusion clears up. When this relative arrives at the long term care facility, when asked if she will stay the answer in no. At this point the facility will not accept the relative. Is this the result of the HIPPA legislation? Answer: No, I would say this has nothing to do with HIPAA legislation. Question # 116: If a relative (sister) calls a crisis line and asks if you know her sister, are you in violation of HIPAA if you acknowledge the situation - the sister was concerned about her mentally ill sister's living arrangements because the neighbor was making it impossible to sleep - due to noise. Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who does electronic transactions In my opinion, a crisis line probably would not fall into these categories. You might, however, be considered a Business Associate (BA) (1)A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. And (2)A person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. You might need a BA contract with the hospital(s) or doctor(s) you work with. Question # 115: My mother is in a county nursing home in Tn. She and my dad divorced several yrs ago. Being mentally/physically handicapped from an accident 50yrs ago, my siblings and I had to sign her divorce papers. She is unable to read and write. She would have no idea what a nurse would be saying in regard to HIPAA. My sister lives close by and has always taken care of her needs. The nursing home personel call one of us when they report falls,need consents for procedures,and for other things of this nature. But when my sister and I tried to find out medications she was taking or to look at her chart, the nurse said according to HIPAA, they could not do this. The nurse called the Dr. and he said it would be ok for them to allow us a copy of her medicines. My mother can't sign papers,read anything or comprehend anything like HIPAA. Doesn't my sister have any rights here? What would be her rights? I have read a lot of the information on your web site, but I am still confused. Please give me any information to assist us in what our rights are when taking care of my mothers needs. thank you Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h) which says: "Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: (i) Except with respect to disclosures under Sec. 164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity." I hope this helps. Question # 114: We have a patient who is under 18. Her Mother has signed all the contracts and is the responsible party, yet has never brought her daughter to any appointments, never called to check on her progress. Her GrandMother has brought her instead. If the Mother isn't available to sign and isn't available for updates, is the GrandMother legally able to sign and receive the updates from the Doctor? Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h). Question # 113: Dear Sir, The question I am asking is the program PC Anywhere used to transfer files from computer to computer via a modem or TCP/IP connection HIPPA compliant? Some of the other software that I have checked into says they are compliant with 128 bit encryption and transfering files straight to the other computer with no stopping point. PC Anywhere has the same compatibity. With the other programs you can not use it to take control of the PC you are needing to use. The reason is that the work I send to my clients, I print for them. The computers at their locations does not have a internet connection. So I am the only one that can access the computer. If PC Anywhere is not compliant can you please let me know of a program that will give me the same function as what I am needing. Thank you for all information you can provide. Answer: I am not that familiar with PC Anywhere. Probably you should ask this question of the company who owns PC Anywhere. They should be able to enlighten you on its security. Sorry I can't be more help. Question # 112: I work for a chiropractic office and we send out letters to previous patients.The letters are offering the patient a complimentary exam and free adjustment.Are these type of letters within HIPPA guidelines? Answer: Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies. The HIPAA Privacy Rule permits the use of clinical information to the extent it is reasonably necessary for these communications. Question # 111: I work for a third party appointment confirmation service exclusively for dentists. Our firm has signed the appropriate forms for HIPPA compliance. We transmit lists of client names, appointment dates and phone numbers via a secure FTP site and encyrpted e-mails. Does this comply with HIPPA regulations? Do the e-mails have to be encrypted, given the limited information on them? Answer: To whom do you send the client lists? To the appropriate dentist of the patient? The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. Your BA contract should answer your questions for you. Question # 110: We are attempting to put together a new medical authorization with HIPPA recent changes. Your sample authorization refers to contacting an HIM director if you have questions about an authorization violation. What does HIM stand for and would our state's department of health be a proper agency to take such phone calls?? Answer: I'm not sure what you are asking. If you are a member of HIPAAps, and have gone through the process of becoming HIPAA compliant, the information you need is all there. Are you a covered entity? Check it out at http://www.hipaaps.com Question # 109: I am clerk supervisor and since having the HIPAA trainig there have been questions that arise among myself and the nurses. One question is when someone calls to the hospital and ask for the patient's room # is it ok to transfer them to that rm #? Another similar question is if someone calls the hospital and ask for a patient by name, are we allowed to transfer the call to the room not giving the caller the room # but just transferring the call is this a violation to do this? Another incident that we have faced is people coming up to the desk and asking what room a certain patient is in, is it legal for us to give them the room # or direct them to the room? The last problem is when you have a semi-private room and the Dr's are in making rounds, well while he is in there discussing the problem or lab values or whatever with his pt. there is a visitor in visiting the other pt, yet hearing everything that the Dr is discussing with his pt, how can the pt's confidentiality be kept from the other pt. and/or their visitors? Your help is greatly appreciated in helping me provide our pt's with keeping them and their status safe and. Answer: Questions re: phone calls and location of patient's rooms: These are hospital procedure questions and not HIPAA regulations as long as no medical information is being released and if the patient does not object to getting phone calls and visitors to his/her room. re: Patient information in a semi private room: The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures. For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby: - Health care staff may orally coordinate services at hospital nursing stations. - Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member. - A health care professional may discuss lab test results with a patient or other provider in a joint treatment area. - A physician may discuss a patients’ condition or treatment regimen in the patient’s semi-private room. - Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution. - A pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone. In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care. Question # 108: Hello: I have a 17 years old daughter which I took to the physician.Well because I'm a Male I let her go by her self inside the doctor's office.Right when she finish; at the office they did not explained what my daughter had to me.Next day they called home asking for my daughter and I told them that she was in school and I was her father so they could tell me why they wanted to speak to my daughter.Well, they told me that regardless I was her parent they can not give me any medical information regarding my daughter,even if my wife and I appear at the doctor's office they would not give us such information. Is that legal? Answer: The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 107: Hello I have heard a lot of talk about HIPAA, but the thing that really got my attention was someone said their minister gave about a 10 minute talk on how this effects putting people on a prayer list. This got a lot of ears perked, can you clear this up if there is any validity to this. Thank you! Stac Answer: I am not sure where that information comes from. HIPAA does not exclude prayer lists. The HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual's name; location in the facility; health condition expressed in general terms; and religious affiliation. The facility may disclose this directory information to members of the clergy. Thus, for example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility's directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual's best interest as determined in the professional judgment of the provider. See 45 CFR 164.510(a). Question # 106: I am setting up a pill identification/medication information site with a colleague that will transmit the results via email. I am a pharmacist and have a few questions on how HIPAA would relate to our pill ID services. 1. If someone requesting a pill identification violates HIPAA rules (eg. an employer finds out an employee is on an HIV drug from poking in their coat pockets), does this mean that we should not perform the identification (because they disclosed too much)? 2. Does this apply to parents finding capsules or tablets in their children's rooms or other personal spaces? 3. To what extent are we responsible for private information that individuals disclose to us, even though we warn them not to? 4. Is it contrary to HIPAA regs to record name and other information associated with a credit card transaction together with a request for pill identification? We are making no assumptions that the pill ID is for the patient whose name is on the credit card. Thank you for your assistance. Answer: Real interesting questions. The first question is "are you a covered entity?" or are you providing a service that has nothing to do with protected health information of an specific identified individual? If you are a covered entity then you must protect the privacy of your clients/patients. If you happen to be a business associate of covered entity or entities in the sense that PHI is given to you by them for your services then HIPAA applies to you through the business associate agreement. If your business is not a covered entity or a business associate, HIPAA does not apply to you. Question # 105: if a patient has a balance due on their account, and other patients are in the office; should you under the HIPPA law discuss this patients balance due in private or in front of other patients? you are not discussing privacy issues... thank you Answer: Since when is a person's money or obligations not a privacy issue? I would not appreciate someone informing a room full of strangers about my personal business. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. Question # 104: please define a secure fax. example: requesting copy of referral from pcp office; can this be faxed to provider from pcp? 2. can eobs from insurance be faxed to provider? thank you Answer: Is there such a thing as a secure fax? I would say that a secure fax would be one that ONLY the person who needs to see the information COULD see the fax. For instance, if the janitor walks in to clean the room where the fax machine is at the time the information is being transmitted, the fax is not secure. Your above examples would probably include information that should not be available to most of the employees who could be near the fax machine. I guess it would depend on where the fax is placed and who has availability to it. Question # 103: We are an attorney service and we obtain records for our defense attorney's with subpoenas, and there have been several doctors that will not accept or release records because of this new law, they are telling us that we need a signed authorization from the patient in order to release any records. But, the records that are being sought are for a defense counsil and not the patient's attorney. So will subpoenas be no good at all to obtain the records for the cases at hand? Thanks, Donna Answer: HIPAA states: (1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: (i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order. I hope this helps. Question # 102: My daughter runs a one man dental office. One of the dental insurance companies set up a time to review eleven charts of their covered members. No one provided any signed releases on these patients so the dentist refused to allow them access. My daughter is trying to comply with the insurance company who is verbally screaming at her about their "HIPPA rights" and the dentist is saying no from his end. She is caught in the middle and getting slammed from both sides. Are signed releases required of the insurance companies and should signed releases be issued by the dental office also? Help quickly please. Answer: I am not entirely clear of this situation but let me see if I can help. Signed releases are not needed for normal operations relating to Treatment, Payment and healthcare Operations. I would venture a guess that the insurance companies want to review the records in order to make a claim payment or review a payment. Claim payments are part of TPO. Your office's Notice of Privacy Practices should explain protected health information will be used for that purpose. A signed receipt from the patient indicates the notice was received by the patient. No signed consent form is required although we recommend an office use one. So it appears the insurance companies have a legitimate request. Question # 100: I work for the special education section of our school board. When we are doing IEP's that must have a health plan to go along with that IEP, we have a parental release that the parent of the student signs for us to send to the physician to request the most current records. Our guidelines state that we must have records that are within a year of the IEP. Today a doctor's office called and said our parent signed request for records is no longer valid according to HIPPA and that the parent must come to their office to sign a release in order for us to get records. It is hard enough getting parents to sign our release or even come to the IEP, let alone get them to go somewhere to sign a release. This is really going to hinder us in our being able to provide the proper services to these children in school. Is our parent release which is kept confidental as is all of our children's records and information okay to use? Thank you Answer: The release you have allows you to ask for the information. However, HIPAA says that the covered entity must have an authorization to release a person's (or dependent's) medical information. The doctor's office is correct in saying they need the parent's authorization to forward the information to you. I hear what you are saying about the inconvenience, but the parents need to honor the doctor's request. Question # 99: We are in the process of purchasing patient confidential material receptacles from Rubbermaid, the big question is for receptacles to be used at nurses stations do they have to be fire retardant? Please advise. Bernice M. Sierchio, Director Environmental Services Pennsylvania Hospital Answer: HIPAA says you have to protect the privacy and security of your patients' protected health information. And HIPAA says you have to be able to handle a catastrophe such as a fire and be back in business. And you have to protect the information for a minimum of six years. HIPAA does not specifiy how to do it. This is a common sense question. What makes sense to you? Question # 97: It has been told to us that if your buisness makes less than 5 million a year that they do not need to be HIPPA compliant. Is this true? We are a healthcare office. Thanks. Answer: This is wrong. The criteria is do you do electronic transmissions of protected health information. The $5 million applies to health care plans. Question # 96: I work in an medical supply store that handles 02, crutches, walkers wheelchairs and etc. Now if a patient comes in and has a script for a wheelchair and I let her know about the Notice of Privacy Practices and to acknowledge that she has read it, and signed the acknowledgement of receipt, does she have to take a copy or can she just read the ones that are in the office. Does she actually have to take one with her or can she just read and sign? Answer: The person does not have to keep a copy, but it would be prudent to keep the signed copy of the receipt of privacy practices in the patient's file for your records. Question # 95: I was wondering if you are able to leave an appointment message on the patients machine or with a person at their home? Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 94: would an elementary school with a school nurse, who keeps childrens medical info on file need to be HIPPA compliant, or considered a hipaa entity? Answer: HIPAA rules apply to medical insurance companies, healthcare providers that do electronic transmissions, clearing houses and healthcare plans. Question # 93: I was recently fired from a company for being in violation of HIPPA. I was told that I spoke to a womans husband about her condition in a public place. I have no recollection of this. I asked them who I said this to,who I said it about, and where I said it. They would not answer me and said that she did not want me to know who she was. My question is, do I not have the right to face my accusor? Please let me know. Thank you in advance Answer: If you did this it is a potential violation. However, what does the HIPAA policies and procedures manual of your ex-employer say about this? What are the employer's procedures for correcting this type for this type of violation? This seems rather extreme? Question # 92: My daughter has a child,my grandaughter, whose father has partial custody. My daughter's insurance provides for my grandaughters health care. Recently her daughter went to the doctor and the father called for information about the visit. The nurse he talked to provided him with all the information he requested, although the doctor's office has no official documntation showing who the father is or what type of custody agreement was reached in court. Now he got this information via a telephone conversation with a nurse at the primary care physician's office.The nurse answered his questions because he said he was the father. Question; is this in violation of HIPPA regulations? Answer: Generally, even though this parent did not consent to the treatment in this situation, the parent would be the child’s personal representative under the HIPAA Privacy Rule. This would not be so when the parent does not have authority to act for the child (e.g., parental rights have been terminated), when expressly prohibited by State or other applicable law, or when the covered entity, in the exercise of professional judgment, believes that providing such information would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. However, I am not an attorney and can not give you legal advice. This is an issue beyond our expertise, but it appears that a violation may have been in giving too much information without documentation that the person on the phone has legal rights to that information. Question # 90: When doing callbacks for our internal medicne office are we allowed to speak to anyone other than the patient, for example spouse or adult child? Or are we only allowed to speak to these individuals if the patient says it's ok? Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 88: I have a question regarding going from one insurance to another.. My daughter was being treated for an exsisting condition under another insurance before we were accepted to a new company. The new insurance company now will not cover any of the conditions she is being treated for. they stated they were"preexsisting conditions " and we had to sign a 2 year rider. We should not have been denied coverage because according to the hipaa act law my daughter was already being treated for this condition. Am I correct? Should it be only a grievance filed? I now am stuck with about 5,000 dollars worth of medical bills. My new insurance did not at all inform me as a new client of any new hipaa laws. Is there anything I can do? Answer: HIPAA portability says that if you have prior qualifying coverage for at least 12-18 months prior to the effective date of the new coverage, and there has been no lapse in coverage form more than 63 days, then pre-existing conditions must be covered. The prior company will issue a certificate of coverage that must be submitted to the new insurance company to prove the prior coverage and the dates. Question # 87: If I gave written permission for my mother-in-law to have my daughter treated by a physician, is that physician obligated to see my daughter? They were turned away because of "HIPAA" and not given any information on this law when they were turned away. I was not informed of this law when I made the appointment and clearly stated that she would be coming with my mother-in-law. Any help would be greatly appreciated. Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. Question # 84: 1. IF A DR IS REVIEWING MEDICAL RECORDS AT A NURSES STATION AND YOU NOTICE HE IS REVIEWING THE RECORD OF ANOTHER PHSICIANS PATIENT, AND IS NOT INVOLVED IN THAT PATIENTS CARE HOW DOES THE MINIMUM NECESSARY RULE APPLY HERE? 2. CAN YOU REQUEST BY A SCHOOL NURSE TO FAX OVER A STUDENTS IMMUNIZATION RECORD WITHOUT PARENTS SIGNED AUTHORIZATION? 3. IF A CHILD IS 12 YRS OF AGE AND A PARENT DEMANDS TO TO SEE HER RECORDS WHAT DO YOU DO? 4. IF PRIVACY POLICY IS VIOLATED WHAT HAPPENS? 5. WHAT IF I WANT TO ACCESS MY RECORDS, HOW IS IT ROUTED 6. WHAT IF I WANT TO CHANGE MY MEDICAL RECORDS WHO TO I TALK TO? Answer: 1. If doctor B has no legitimate reason for reviewing the records of doctor A's patient then that could be a violation. 2. Based on HIPAA, the school is probably not a covered entity so that answer would probably be yes. However, there are other laws that could prohibit the school nurse from faxing the information depending on who is asking for it. 3.The Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. 4.It depends upon the severity of the violation. All Privacy violations should be reported to the Privacy Officer. 5 & 6. You need to discuss both questions with your doctor. Question # 83: We have a non-entity MD office. We do not file insurance. We are a payment at time of service office only. We do have some workman's comp claims that involve faxes. Do HIPAA guidelines apply to us? Do we need to have them posted? Thank you. Answer: I'm not sure what a non-entity MD office is. Are you saying your patients do not use insurance? If they do and you, or a third party, files the claims electronically, then you are a covered entity and the guidelines do apply. As for the workman's comp claims - at this time faxes are not considered electronic transmissions. However, we are all expecting them to be included in the future. If you will go to www.hipaaps.com. Click on 'What is HIPAA?' and choose 'Hipaa Links'. At the bottom of the page under 'Specific links' you will find a Flow Chart that will help you determine if you are a covered entity. If you find that you are a covered entity, HIPAAps.com will help you to learn what you need to do to be compliant. Question # 82: I work for a Fire Department and we run First Responder calls. We do trip sheets via internet. Do we need to be HIPPA compliant? Answer: It appears that you are collecting Protected Health information on a patient and that you are using electronic transactions, which would make you a covered entity. Therefore, you would need to be HIPAA compliant. The easiest way to become compliant is to go to www.hipaaps.com. All the forms, procedures and information is on this site plus procedures to train all employees. Question # 81: I am a chaplain in a pediatric hospital and have been asked by my denomination to write an article to advise parishoners on how to make sure their attendant clergy have access to them if they are hospitalized (if they so wish). I was wondering if you could enlighten me on how parishoners can ensure their clergy has access to them in the hospital. Thanks. Answer: The HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual's name; location in the facility; health condition expressed in general terms; and religious affiliation. The facility may disclose this directory information to members of the clergy. Thus, for example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility's directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual's best interest as determined in the professional judgment of the provider. See 45 CFR 164.510(a). Question # 80: My husband is in the military and our medical records are in a military base clinic. Before we moved, I asked them for my records and the records of our children. They said our new doctor's office would have to request them. They said they can't just physically give them to me. Is that right? Does HIPAA apply to government agencies also? Thanks in advance, N.Miller Answer: We have researched this question and can not find specific information concerning military base clinic medical information. But, yes, HIPAA does apply to government agencies. However, since they will forward the information to your doctor, you will have access to the files at that time. Question # 79: Do we give a copy of the Notice of Privac Practice to only new patients starting on April 14th, or only the new patients? Do we only get these new patients to sign a Reciept of Privacy or eveyone? Answer: HIPAA applies to all patients of your practice. HIPAA has been the law for two years. Yes, you need a signed receipt to confirm the patient has received it. This receipt must go to their files. Question # 77: When doing callbacks, are we allowed to speak to the spouse of a patient regarding patient results. Alot of times a spouse or adult child will answer the phone and say give me the results. On several occaisions the patient themselves will ask us to speak to their child, because of a language barrier or hearing loss, but what happens if the child or spouse picks up the phone first and says, give me the results and I will tell him or her? Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 76: What forms have to be signed by the patient? I know the Acknowledgement of reciept of notice of privacy practices, what about consent for use and disclosure of health information? Answer: The patient needs to sign the acknowledement of the receipt of the Notice of Privacy practices. The consent for use and disclosure of protected health information is not mandatory, but it is in the covered entity's best interest to have it signed by the patient. In the membership tools of HIPAAps.com all the forms and information are available. Question # 75: Why are education records (such as immunizations) not considered PHI (Personal Health Information)? Especially, when they are personally identifiable? Answer: HIPAA rules apply to medical insurance companies, healthcare providers that do electronic transmissions, clearing houses and healthcare plans. Question # 74: I work in the billing department of a large multi-specialty doctors office. When billing statements go out and there is a question regarding the bill, I need to know if I am allowed to speak to the patients spouse or the patients mom or dad when they call. What kind of authorization as of 4/15/03 do we need to speak to the spouse, can it be verbal or does it have to be in writing. This happens alot because one spouse is usually the one in charge of the bills at home, or a parent if their child is 18 and in college. Please reply. Thank you. Answer: HIPAA has been the law for two years. The penalties will be applied for non-compliance on 4-14-03. You can only discuss protected health information with the patient or a legal guardian. You must document the patient file with proof of the legal guardianship. Question # 73: What is garanteed to pregnant workers under the pregnancy disability act? Answer: This is not a HIPAA question Question # 72: If a patient schedules an appointment and is having another person/relative bring her to the office, is it OK for us to give out that information or does that person need to contact the patient? This situation arised in our office. Thank you Answer: You can not give that information out unless that person is a legal representative of the patient. The patient should do that. Question # 71: I am a patient of a doctor who has my blood report. I requested a copy faxed to me, he denied it, giving the reason that the Doctor's office is HIPAA compliant, there fore they cannot fax it to me. Please can you let me know if this is true. I would really appreciate an answer. Thanks Tahm Answer: You have the right to request a copy. It is up to you and the Doctor to determine the best way to do that. Question # 70: I am the office manager, prvacy office, security officer. (for now at least) Question: When I enter data for this; what is the best way to show all 3 titles? Should I enter myself 3 times with each title or can I enter myself with multiple titles? Please advise the fastest way. thx,KCB Answer: You should do what makes the most sense. Question # 69: I work for the postal service and as we all know they, the postal service, thinks it is about the law, anyway, we have a new attendance control system that is in effect or going in effect across the country, in this new 1-800 I am Sick call-in system, when we call in for sick leave, the attendance control supervisor ask for the nature of the illness and once the employee tell they, the ACS the nature of the illness, they put you nature of illness in a comuter program call RMD/eRMS, the nature of the illness is inputed in the remarks section that is provided. Will this not violate the new law. Answer: HIPAA rules apply to medical insurance companies, healthcare providers that do electronic transmissions, clearing houses and healthcare plans. The postal service does not seem to be any of those entities. This situation does not apply to any medical insurance either so I don't think HIPAA applies here. Question # 68: I am the hippa coordinator for our volunteer ambulance corps and need to know some information. It just happen that I also work for Empire BlueCross BlueShield in Middletown NY and have been trained on hipaa there. Everyone felt I was the best person to teach for the ambulance corps 1) I need some suggestions on what we need to be really concerned about we already keep all our Patient Care Record locked up after we come in from a call. 2) Is there a written standard we need to follow as most of these apply to dr's hospitals and insurance companies 3) we do bill for our services and at times could be asked by people for the trip reports what do we do then. if the patient is transported to the emergency room we do not ny state does not require the patient to sign the report just the ER nurse I think that is all I have right now. I have my 1st class Friday 4/11 Thanks you Danielle Answer: If your corps does electronic transmissions of protected health information and/or billing, then HIPAA applies. It is up to your organization to study the HIPAA law and apply as it fits. Your corps could even be considered a business associate of other covered entities depending the who you are doing services for. You can not allow the trip reports to be published. That is a violation!!!! You can not give those trip reports to ANYONE that should not have access to them such as a newspaper. The HIPAA laws and applications are available to members at the website www.HIPAAps.com. Question # 67: What about the employess? do they have any rights when it comes to the Hippa law? Are we violated from our employers? An example of this would be, Should we wear our full names on our name tags? I feel that is an invasion of our privacy. This information do not need to be disclosed to the patients you see at your employment. I feeql there should only be an first name, last inital, or vice versa. Answer: HIPAA does not require your last name on your badge. Question # 66: I work at the post office in louisville ky. We have a medical unit and an attendance control office. when we call in sick they require medical information to come to them from our dr.s and not go to the medical unit. Are they covered by this law and is the dr allowed to give this information out? thanks Answer: A doctor can not release your protected health information without your signed authorization unless the information is used for Treatment, Payments or healthcare Operations. Question # 65: I am an R.N. at a hospital. Do I need to have my last name on my badge? I am being told that this is a hippa requirement. Is this true? Being a single women, I am not comfortable with patients having access to my last name. Thank You Answer: HIPAA does not require you to have your last name on your badge. Question # 64: Does all drug sample representatives, cleaning crew, building maintence, medical supplier reps, lab reps, managed care representatives need to sign a confidential business associates agreement with you? If so, does one agreement stand for the anyone representing the company? Please advise. Thanks Answer: If they are business associates then the covered entity must have signed Business Associate Agreements. In some cases, like a janitorial service, we recommend a confidentiality agreement instead of a full BA Agreement. It depends on the services offered and whether PHI access is part of the service. See the articles on Business Associates at HIPAAps.com or visit our Business Associate site at ba.hipaaps.com Yes, the agreement is with the company, not the individual employees of that company. Then it is up to the BA to make sure the employees comply. Question # 63: I am a office manager at a newly formed medical practice. One of the physicians at the practice advised me of a rule I was not aware of: Can patients request/petition the physician to alter his/her notes if they do not agree with the notes documented at the time of the visit?(I.E. Patient comes to the office and weighs 300+, the physician documents in the chart the patient as one of the signs/symptoms/diagnosis "Pt is overweight and obese". Please clarify this for me. Answer: HIPAA allows the patient to include additional information in his/her file. It does not provide for asking the provider to change the records. Question # 61: Do both doctor offices and pharmices have the same questions? Answer: What questions? They have the same HIPAA regulations. Question # 60: We attended a Hipaa compliance class and were wondering if you have the notice of confidentiality and privacy practices available in Spanish. Answer: We are working on that as we speak Question # 59: i am a operations officer at a volunteer ambulance in new york , we do not bill our patients. Do we have to follow any hippa rules , since we do not bill ??? Answer: Do you do any electronic transactions besides billing? If you transfer any information electronically, then you are probably a covered entity. Question # 58: I am a geriatric social worker and am interested if laws have changed around making an elder abuse report and the use of HIPPA forms. Answer: I am not aware of the laws regarding abuse reports or the use of HIPAA forms. Sorry Question # 57: I have a question..hopefully you can follow. I made an appointment for my stepson with his peditrician, my stepson's mother works in the same clinic in the urology dept. She found out I made an appointment and showed up at the appointment. I don't know how she found out about the appointment, I was told that any department can access the appointment schedule over the computer. Is she in violation? She says she's not, it's her son. He was in my custody at the time and I made the appointment. My husband (the father) has legel placement. Hope you can shed some light. Thank you. Answer: There are two points here: 1) Does the mother have legal rights to this information as a mother? Otherwards is she legally able to know of this situation. 2) This could very well be considered a violation at the clinic depending on the policies and procedures of the clinic and her access level to the protected information of the clinic. Question # 56: I would like to find out legally how long a workstation on a Pacs System can be left open if a radiologist forgets to log out? I am in the process of setting up the automatic logouts on their workstations for when they forget to log out but I have been hearing conflicting time limits for how long the workstation can remain open. The radiologists do not want to be be logged out right away when they step away from their workstation. Can you please let me know the maximum amount of time a workstation can be left open and still be in compliance with Hippa? Thank you. Answer: There is not time limit specified by HIPAA. Each covered entity must make their own policies and procedures. Question # 53: I called my local hospital and asked if I could get a copy of my medical records for my own personal use. I asked what it would take to get them, she told me that it costs $15.00 then 35 cents a page to copy them off. She told me that I could look at them for free though. Is this correct, should I be charged for medical records that are mine in the first place? I live in the state of Missouri. Answer: The information may be yours, but the paper and ink is theirs. HIPAA allows for a charge for this service. Question # 52: is there a hippa law stating that the patient can not sign in at the front with his name and time, and then be called back and his name be put on a board at the nursing station. Answer: No, this is an exception that falls under incidental disclosure Question # 50: Do I have a right to have a copy of my medical records from any doctor that I see regardless if they are located in the hospital or have their own practice? If I do have a right to have a copy of them, should they be free to me? Answer: Yes, you have a right to a copy of your medical records. And yes they can charge you for the copies. Question # 49: My employer Delta Air Lines is requiring a diagnosis along with a Doctor's Certificate whenever we call in sick. My question to you is this. Is this legal. Delta says they have the right to ask what our diagnosis are so they can pay or not pay for our time off. Please Please Please help me out in this matter and let me know what my rights are. Thanks for your time and help in this matter. Answer: I am not an attorney and can not give you legal advice. This is an issue beyond our expertise. And I don't think this is a HIPAA question. Your employer is asking you for the information not your Doctor to release it to them. Sorry I can't be of more help. Question # 48: I work for a physician who just started a practice 11/1/02. There are 2 NP's, 1 MD and 4 staff. We do have our privacy policies, comp. officer, business agreements etc. We have the capability in our computer system to do electronic billing, etc but currently bill to paper. If we continue to bill paper and do not utilize electronics for eligibility, etc and we continue to meet the requirements for a small practice, what else are we responsible for under HIPPA? Answer: If your practice is not doing electronic transactions then you may not be a covered entity. And if that is the case then HIPAA does not apply to your office. If on the other hand, you are a covered entity or want to respect the HIPAA requirements then the list of HIPAA requirements are too long to answer here. They can be found in the articles at HIPAAps.com Question # 47: There is a possibility that my privacy and security has been violated. I received an e-mail from a stranger who claims to have gotten into my medical records. This person did not quote specifics about me but also claimed to have gotten someone else's records and specifics were given. Who can I contact to have this investigated? Answer: You should report the violation Privacy and/or the Security Officer at the healthcare provider that has the records. Or you can contact The Office of Civil Rights to make a complaint. Question # 46: Is HIPPA training to be supplied by employer prior to compliance date? If so,what should it consist of? Answer: Yes, it should be done prior to April 14. However, just get it done. The training should cover a healthcare providers HIPAA policies and procedures and the HIPAA law. The training tool at HIPAAps.com is designed to provide this service on-line. Our training tool will simplify the HIPAA education requirements for any covered entity. Question # 45: I work as a customer service rep at a dental company. i'm dealing with a providers office and they want to get a social security number of a patient who is 14 years old. i need to know if this is allowed or not? if u could please answer my question it would be greatly appreciated. Answer: What is a dental company? Is it a covered entity? Why would you have a child's social security number? Yes, social security number is protected health information. Question # 44: Clerical support checks in patients at the front desk and hands them a card identifying the type of procedure the patient is going to have done so that the technician who is to perform the procedure can retrieve the individual patient by procedure to be performed from the departments' patient waiting room. These are outpatient procedures within a sub-specialty clinic within a medical center. The cards are different colors and each card states a different procedure such as EKG, ECHO, STRESS, HOLTER, NURSE which are in bold type on each card which is about 6-8 inches long and 4-6 inches wide. Is this a violation of each patient's privacy or HIPPA in relation to each patient having to be identified by the "procedure card" ? Could this be perceived as a violation of a patient's privacy within the clinic? Need a detailed reply STAT! Thank you. Answer: In my opinion this is a violation. The color of the card and the bold print broadcast the patient's condition and is a violation of HIPAA privacy. Be more subtle about it. Question # 43: We share office space with another Dr. we are different entities,but we have always filed our charts together from a-z because both dr.'s see some of the same patients. We do have a locked door to the reception office and patients can not see the charts. My question is do we have to seperate our charts to be hipaa compliant! Answer: Good question, probably not. Just make sure you document your policies and procedures. If keeping them together is a privacy issue, which I doubt, then you should separate them. Question # 42: I manage a medical equipment company. I understand the level of privacy pertaining to patients rights, yet my drivers need the basic street and name of client in order to deliver equipment. Will we be in violation of HIPAA in accordance to the de-iden. Thanks. Answer: HIPAA is not meant to prevent common business practices. This would likely be considered an incidental disclosure. However, it sounds like you could be considered a business associate of the provider that gave you the addresses. If on the other hand you are selling items directly without the involvement of a healthcare provider than HIPAA may not even apply to you. Question # 41: I have been a patient at a nearby chiropractic office for the last two years. As a new patient, I and my family were required to pay fee for service with our insurance being billed and us reimbursed as appropriate; until which time we were deemed to be under "wellness" care. We were then required to pay $150.00 per month for the entire family and our insurance was no longer billed. At the beginning of 2003 our chiropractic office told us that we now had to be charged for each service again because of the new HIPPA law that was upcoming. So, they told me that we could still pay our $150.00 per month and that they would see what our insurance would cover. To date, I have received EOB's from our insurance company totaling nearly $1500.00 that have been payed to our chiropractic office in addition to the $150.00 that we have been paying them. When I asked them about this, they told me that these were the new fees. I can't believe that the same care that I received in December cost four times that in January! I am a Dental Hygienist and have not heard anything about our fees having to change due to the new law. The chiropractic office claims that they have to charge everyone the same fee. I question the validity of their comment for three reasons. Number one, we are not being treated for disease. We are being treated for "wellness." Secondly, I do not believe that the HIPPA law has anything to do with fees. I was under the belief that the HIPPA law was to protect the insured and their pricacy. And thirdly, I question the huge increase in the cost of our care. Can you give me some insight on this situation as my confidence in this office is waning. I look forward to your help!! Jeanne L Hanes Answer: Your are correct, HIPAA has nothing to do with a change in fees. Sounds like it is time to change providers. Question # 40: Do we need to give a copy of the patient privacy act to each patient or just post it in our ofice? Where can I get a sample form for a business associate and a trading partner? Thank you Answer: The rules do not require you to distribute the notice of privacy practices. It says you need to make a copy available for your patients or upon request. However, if a patient does not get one or you can not prove you gave them one, you have a violation. We take the stance that ALL patients should get one and sign a paper acknowledging receipt and that goes to their file. It is best to err on the more conservative side. We have all the forms you need on our site at HIPAAps.com. We also offer excellent training for employees, another weak link in the HIPAA chain. Question # 39: I work in a doctors office and we were wondering if it is a hippa regulation to have charts in closed cabinets w/doors or they are just okay in shelves? Please let me know when you get a chance. Thank you Answer: The regs do not specify that the files need to be locked up. It says do your best effort. However, if those files are not secure, if non employees have availability to them, if employees that do not need access based on the minimum necessary rule, then your office has a violation. That is one of the tough parts of the act. Some things are specified, others are discussed with no specific recommendations, such as the security of files. HHS is going to post the final security regs in a couple of weeks. Those files are a security issue not a privacy one. You can't be too secure. But it has to make sense from the operational point and the security aspects. You should lock them if you don't then recognize you have a potential security issue. Question # 38: Do you have a way to order the hipaa manual over the phone? Answer: The closest thing you can find to a HIPAA manual is a copy of the entire act from HHS. That is available from their web page. A HIPAA policies and procedures manual is unique for each covered entity. The HIPAA committee must makes choices in order to implement HIPAA compliant policies and procedures for that particular firm. Yes, there are mandated items that must be included, but the bulk of the manual should be specific things for that entity. HIPAA compliance will be a fluid thing changing over time as the rules change and are interpreted. As those changes occur, so must an entities HIPAA manual. A member of HIPAAps.com can painlessly choose the policies and procedures for a particular firm and print out the manual needed for HIPAA compliance. Question # 37: My company installs telephone systems for a major Drug Chain of retail stores. They have a drive up window in some locations for customers to leave and pickup prescriptions. They have told us we need to provide a HIPAA compliant measure in their pharmacy to protect the privacy of customers using the drive up window. Will a telephone handset connected to the mic outside satisfy the compliance requirement? This would make it so other customers inside the Pharmacy area would not be able to overhear the conversation between the person inside and the customer outside. Of course any passerby might overhear the conversation outside. Please advise on this. Answer: I think you could make the arguement for your product. The law says here is what you are suppose to do, apply it to your practice. Your product addresses a potential violation area and makes sense. HIPAA does not specify that this be done, but it does say this information must be held as confidential. You are a potential Business Associate to this chain. For more information on Business Associates go to our page at ba.hipaaps.com Question # 36: I just started my own medical billing company and would like to know what I need to do in order to be HIPPA compliant. I researched your web site and it seems to me for a a small business like mine which contains just myself as an employee there is not a need for the $349.00 package. I feel that falls under the doctors responsibility. I know the practice I bill for is completely HIPPA compliant. What I specifically want to know is what my responsibility is as far as being HIPPA compliant. Also, I know I need to fill out the business ass. form. I would like to know where I can obtain this from. Answer: It sounds like you definitely are not a covered entity as the MDs you are billing for are. However you are a business associate. Your clients, the MDs, must have you sign a Business Associate Agreement saying you will provide the same privacy that they must. So really you need to do the same compliance steps they must just for other reasons. We have a Business Associate site at ba.hipaaps.com that will help you through this process. Question # 35: I currently work for a practice that is not HIPPA compliant. that is not to say that it wont be by the deadline but one never knows. My question is...if they fail to comply...am I, as an employee, going to be fined for any violations since the lack of compliance is not my fault? Answer: You won't have to pay any fines. HIPAA will fine the practice you work for. The civil fines are $100 per violation per patient per year. So even though you won't have to pay any fines, your employer could be put out of business with the fines. There are at numerous items that are potential violations. The fines could be $1,000's of dollars per patient. If your employer has not started the process, please show them our web site. We have the simplest method to achieve compliance. Question # 34: I am a home health care nurse. I visit patients in their homes and then document my findings and submit them to my agency (a certified home health care agency) I have a visual disability which makes it difficult for me to read the small print on the company forms. for the past 7 years I have been typing my notes on a word processor (which is not connected to the internet)and submitting them to my agency I have recently been told that due to hippa law I am no longer allowed to type my notes. I believe this is not what the hippa law states, and i feel my employee rights are being violated. Please clarify hippa's policy with regards to this issue. thank you, Answer: your employer must adopt policies and procedures for their HIPAA compliance. One policy might be to restrict your typing on a computer. The law does not prohibit that in itself, though. Sending them could be an issue. A covered entity must review the law then make the necessary changes to be HIPAA compliant. Question # 33: I am at one of your health care facilities. The person in charge of me wants me to find out how to keep patient's personal information private. I am trying to set up a Windows 2000 server so that anyone who logs in has their folder mapped to a network drive. I have found out how to do that, but in the network neighborhood the usernames of all of the other patients show up. You can see their usernames, but access to the folders is denied. If this a violation of HIPPA? Many thanks in advance! Answer: Yes and no. I assume the people logging in are employees of the firm so at least the exposure is limited. If you can avoid that then you should be not display patient names even if you can't get to the information in the folder. If on the other hand this list is available to people other than employees that is a problem. Question # 32: I work at an HIV Clinic. I make referrals and fax prescriptions all the time. Within the University Hospital, consent is implied with HIV status. Will I still be able to fax referrals and fax prescriptions after April 15? Please answer ASAP. Thanks. Answer: At this time faxes fall into the gray area as electronic transmissions are defined. HHS has been asked to clarify this and we expect faxes to also be included in the definition. It isn't a matter of being able to use fax or electronic transmission. It is a matter of making sure the data is secure and your procedures protect the data and the patient privacy. Implied consent? I would think you would want a signed consent form. It is better to be HIPAA compliant and not need to be than find out you should've been. HIPAA is the law RIGHT NOW. April 14 is the date the fines can be imposed. Question # 31: What are the guidlines and procedures governing a dental hygiene clinic in a community college setting? Please advise. Answer: If you do NO electronic transmission or do not have a third party do any for you then HIPAA probaby does not directly apply to you. If on the other hand your firm does, then the full HIPAA rules apply. Question # 30: What kind (if any) of technical requirements are necessary when sending medical records from a business associate to a covered entity via e-mail? Answer: basically you need to make sure that information is secure and private. How you do that is up to you and the procedures your firm has adopted. The more secure you can make it the better. HIPAA leaves open the how to do it and just says the why you have to do it. That is the basic issue with HIPAA, you must interpret what you must do, such as "secure" the data and make your best effort to follow procedures. If the privacy of the information is violated then at the security you choose, then you have a problem. So in summary to be as absolute as possible you should encrypt it. Question # 29: I am setting up a sign to be exhibited in one of my medical client's offices that explains the "Notice of Privacy Practices" - my question is... is there a certain font size that the information must be exhibited in? Please respond by email as soon as you can. Thanks so much! Answer: no there are no regulations on font size. I suppose if it was too tiny that would be a problem. The HIPAA rule says you need to post it implying it must be readable, HIPAA says use your best discretion to carry it out. Question # 28: I only have one question, does the Privacy Officer need to have a Bachelors Degree? Thank you. Answer: interesting question. I only have one answer, NO. There are no education requirements. It is a local decision by your firm as to who is to be the Privacy Officer and the Security Officer. Question # 27: I have a question for you???? Is the HIPAA in emergency medical services restricted to the # of people who can see the run sheets, based on the city's population???? I am the secretary and was informed that a city with population of 4,000 can have only 4 people look at the run sheets. Is this true????? Answer: who told you that? No, there is no limitation in HIPAA. Your hospital could have adopted that as a policy or procedure, but there are not such limitations in HIPAA to do with population? Question # 26: Do you know of anyplace that is holding seminars or classes on HIPAA in my area? Answer: We don't have any such lists, but many state and local associations are offering HIPAA information sessions; you might want to check with them. We do offer HIPAA training though our web site. Question # 25: Are HIPPA guidelines and requirements applicable to the workers' compensation industry? Answer: Yes and no. Strangely enough, the law does not apply to workers compensation insurance companies, only medical insurance. It does apply to the providers of care that create the medical records used with workers compensation though. So while HIPAA does not specifically apply to WC, it does apply to the medical providers involved. Question # 24: If your office receives a subponea for a patient's medical records, are you allowed to give them everything in their chart? Can you redisclose records that aren't from your office, that are in the chart? Answer: This really is a question for your office's attorney, especially since it involves immediate legal issues that could have serious repercussions for your office. According to the DHHS fact sheet, "...the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR 164.512(e)." So as a general, simplified answer, from a HIPAA point of view HIPAA can not, and is not intended to, interfere with the law. So yes, you would have to comply, and yes, if so directed, you would have to turn over a copy of all records requested in that subpoena. (Again, I have to stress that this is an issue that you should bring to your office's legal counsel. They can advise you as to any variations or other issues that might apply in that particular case, or how any state or local laws may apply.) As to whether you may redisclose information that was originally generated by another healthcare provider, the answer is yes - a covered entity is permitted to disclose such information as long as the disclosure is for a purpose permitted by the Privacy Rule. One definite thing under HIPAA, though: you must document in the patient's file what information was disclosed, to whom, on what date, and for what reason. (Including a photocopy of the subpoena in your office's own "non-routine disclosures" master file might not be a bad idea, if you want to be absolutely certain that you've covered all the bases.) Question # 18: Are faxes considered electronic transmission of data? Answer: Currently, only digitally transmitted information is considered to be an electronic transmission under HIPAA. However, the US Department of Health and Human Sevices has been asked to further clarify (make a final decision as to) whether facsimile transmissions are or are not electronic transmission of data. While faxing documents instead of transmitting them electronically may mean you're not a covered entity at this time (it depends on several criteria, not just this), it might be a good idea to err on the safe side and assume facsimilies will eventually be included in the definition. That way, you're prepared if the rules change with the clarification. Since there are privacy and security issues to be dealt with when faxing anyway, it's a good idea to have a policy in place for handling the issue. Question # 17: One of my vendors has made me an offer to trade my client list to them and they will give me a web page for my practice for free. I was wondering if they is anything wrong with that as related to HIPAA. I would like a web page. Answer: I am sure the web page would be great for your practice. However, releasing a list of your clients would not be a good idea. HIPAA requires that you not release names of any of your clients to anyone outside your practice. Just letting someone know that a person is a client of your practice is a violation of HIPAA privacy rules. Selling or trading patient information for financial gain is a criminal offense under the HIPAA privacy laws. The federal criminal penalties for violation of privacy are: Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses. Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.