Ask the Expert: Answers to Questions Ask a Question Question # 613: I would like to know what gamma hydroxybutyrate is, because I think some one had slipped it to me a couple of weekends ago. So I wanted to see all the side affects, what it does to you. Answer: This is not a HIPAA question. We do not identify drugs or their side effects. Question # 611: Is it a HIPPA violation to hang patients Christmas Cards in the waiting room if they signed their first and last name? Answer: No, this would not be a violation. Question # 610: I am a Business Manager in a dental practice. I want to know if it is a HIPPA violation to send out reminder postcards to patients about their dental appointments? The card includes the patients name and address on one side and the date and time of their appointment. Answer: No. The only violation would be if PHI were included on the card. An appointment is not PHI. Question # 332: There are a number of cemetery websites that have genealogical information available about the deceased in a searchable format for that cemetery. Is this in violation of the Hipaa regulations or do the deceased have no rights? Answer: HIPAA applies only to certain entities. Cemetaries are not on that list. Question # 250: Is it against HIPAA regulations for either a doctor's or a dentist's office to leave a message on a patients answering machine confirming or reminding them of an upcoming appointment? Similarly, is it a violation to leave a verbal message with a relative or another member of the household confirming or reminding of an upcoming medical appointment? Answer: The answer to this question is No it is not against HIPAA regulations to leave appointment information on an answering machine or with a relative. Question # 241: Vitals- I work at a Neurology practice. Do we have to do vitals on every patient. Do we do vitals on all follow ups or could we just do vitals on New patients only? Thanks Answer: HIPAA does not dictate office practices - only the privacy and security of patient information. It is not meant to get in the way of everyday practices. The Vitals information would strictly be information that your practice needs to perform adequate care for the patients. Question # 240: I used to work for several physicians in a obgyn clinic. The doctors had trained a fellow employee to draw blood on patients. This person was not a lisenced phlebotomist. According to all the new Hippa guide lines, Is this legal? Can a person drawn blood under a physicians scope of practice without a lisence? Is this in compliance with Hippa? Answer: This is a medical question not a HIPAA question. HIPPA deals with Privacy & Security. Question # 239: According to the newest release of HIPPA, Is it unHIPPA compliant to have a Patient Sign in sheet? I know of some offices that have a high level of patient income on a daily basis, and a sign in sheet is the only way to keep track of all the patients without losing the personal aspect of customer care. Answer: Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii). Question # 229: I OWN A COPY SERVICE, I AM HAVING A PROBLEM WITH A MEDICAL PROVIDER. THEY WERE SERVED WITH A WORKERS' COMPENSATION SUBPOENA (ISSUED BY THE PATIENT'S ATTORNEY) REQUESTING MEDICAL RECORDS. THE OFFICE MANAGER INFORMED ME THAT A SUBPOENA WAS NOT HIPPA COMPLIANT, THAT I NEEDED AN AUTHORIZATION FROM THE PATIENT, WHICH IS NOT A PROBLEM, BUT ALSO HAVE TO PROVIDE THEM WITH A WRITTEN AUTHORIZATION FROM THE WORKERS' COMPENSATION CARRIER STATING THAT THEY WILL ALLOW THE RECORDS TO BE COPIED. THE OFFICE MANAGER EXPLAINED THAT THIS IS REQUIRED UNDER HIPPA GUIDLINES BECAUSE W/C RECORDS BELONG TO THE W/C CARRIER, NOT THE PATIENT. IS THIS ACCURATE?. Answer: Covered entities are permitted to disclose protected health information for such purposes as authorized by, and to the extent necessary to comply with, workers’ compensation law. See 45 CFR 164.512(l). In addition, the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR 164.512(e). Question # 228: does faxing constituting electronic transfer Answer: Not at this time Question # 226: IS THERE AND HIPAAPS FORM FOR INVOICE TO OUR PATIENTS? AND WHERE IS IT LOCATED AT. Answer: There are no HIPAA invoice requirements. Question # 224: My sister-in-law is having a baby and she is having an ultrasound done and her husband can not be there and she wants me to go with her but they told her that I could not be there because it is a hipaa law but if my sister-in-law says I can be in there is it still not ok? She dosen't want to take the chance of being there alone and them telling her that something is wrong with the baby. So my question is if she wants me in the room with her and I have her permission can I be in there. Thanks for your time. Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h). Question # 223: My husband just recently had gastric bypass surgery and has had alot of complications and while we were in the hospital their were remarks made by some nurses about his weight when they were trying to move him, like wow this is going to be one work out we better get a couple of more nurses to hepl us, then i over heard some nurses in the hall way talking about him and my family, my mother-in-law was very concerned and asked alot of questions to ask about the surgery and what to expect and after she left they were out in the hall just discussing it saying oh what a mamas boy, boys are treated so differently then girls, just going on and on, isnt that breaking a patients confidentiality, did they have the right to discuss it in the hallway or to even discuss it at all , itsnt it their job to answer questions and concerns, and take care of a patient without the rude comments? thank you Answer: This is not directly a HIPAA question, but a question concerning bad manners. My suggestion would be to speak to the supervisor concerning the comments. Question # 222: if person has insurance it expires nov 30 and takes job where new insurance okays before nov 30. are all clams preexiting? Answer: The portability provisions of HIPAA say that no more than 63 days can pass when you do not have coverage in order for the portability (pre-existing conditions) to apply. From your comments it appears no time has passed so pre-existing conditions should be covered,if the coverage is issued. HIPAA applies only if the coverage is acutally issued. Question # 221: Does a ambulance provider have the means to look at transfer documents concering pt. transfers? This is asked due to concerns of being a EMT-P transfering pt's from one hospital to another Answer: The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. Question # 219: I work in an outpatient imaging facility. When our patients come in, we've been giving them the HIPAA notice and asking them to sign a receipt that they've received it. What do we do if a patient refuses to sign the receipt, and argues the notice? Are we legally allowed to refuse treatment to the patient? How are we protected in this instance? Answer: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. Since signing is voluntary, it should be documented that the patient DID receive the notice and the reason for refusal to sign should also be documented. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule Question # 217: When our HR department asks us to process a check to a medical or insurance vendor they are not providing any back up documentation to support the request and they say that due to HIPPA they are not allowed to provide any paperwork to the accounting office and they must keep everything on file in HR. I would like to know what information they can provide to us to justify their request for checks so we will also have a valid audit trail while respecting privacy. Eg:Can they "black out" medical procedure and patient name and still provide us with statement showing balance due and remittance address for payment? Thank You. Answer: The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made Question # 216: My question is about medical records. Let say a medical office sends our office records. If this patient wants a copy of records this other office has sent us, can they be released? Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. Question # 214: My wife and I have just recently gotten pregnant about four months ago. I have been to every Dr. appointment and been in the room during the checkups. My wife has come down with a cold and can hardly talk. I called the OB Dr Office to find out what she can take over the counter for a cold and fever. I explained the situation to the Office Manager and she told me she can't discuss anyting. As the husband and the parent, shouldn't I be able to find out about my own babies condition and what I can do to help my wife? I feel this is completely wrong when you regulate what the father can be told about his own child and how to help his wife in a time when she needs it and can't talk on the phone. Answer: The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Question # 211: I work in a chiropractors office in Illinois. We do file claims electronicly. My questions are 1)Can a patients EOB's from their insurance company be kept in their medical record? When bulk payments or denials are received, copies are made, the patients name is highlighted and placed in the medical record. So in any given chart you can see payments and denials for other patients with the same insurance. Is this in violation of hippa? 2) The chiropractor I work for, on the second visit with the patient after insurance coverage has be verified estimates what their insurance will pay according to their benefits. He comes up with a payment plan for the patient to include everything he will do for the next 6 months or year including office visits, scans and xrays and what his total charges would have been. The patients are then asked to sign a contract to pay up front or in monthly installments. Essentially patients copays and deductibles are being written off. So lets say your treatment plan for 6 months will cost $3000.00 and your insurance will only cover $2000.00 he might ask you to pay $500.00 up front and the remaining $500.00 will be writtn off your account. Isn't this against hippa regulation? Answer: HIPAA does not dictate how a bill is to be paid. This would be an office procedure not directly connected to HIPAA. Question # 210: Is there anything in the HIPPA law that would give an empolyee rights when it comes down to thier empolyer asking for medical notes when the employee is out sick. Can the employer require a medical note? If yes is there anything that wouldn't have to be disclosed in the note? Thank you, Rob Answer: The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose Question # 208: After my GYN prescribed a medication that did not work for me, I phoned the office and spoke with a nurse who told me that they called my insurance company and requested a report of medications I had taken in the past 2 months and proceeded to question me about a sleep aid and cough suppressant prescribed by my PCP about a month ago. They could have asked me personally and I would have given them the same answer but I was shocked to find out they did this. Is this legal? Answer: Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506. Question # 201: I am the Claims/Security Manager for Midway Slots and Simulcast. Part of my responsibility included supervising our in house First Response Team, who are tasked with responding to all guest and employee injuries/illnesses. When a response to an incident is made, a computer generated report is completed which includes name, address, phone no. time and date of the incident, what type of incident and what actions were taken. This report is then sent to me and after review, I forward the reports to our insurance company for determination of liability and coordination of any claim arising from the incident. On occasion, these reports will contain information regarding past medical history, that has been voluntarily provided by the injured/ill guest/employee. Because of this, do we fall under HIPAA regulations and what are our responsibilities for comliance?? Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care provider who transmits any health information in electronic form The Definition of A Health Care Clearinghouse is (in part): A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a Business Associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information. You could be a Business Associate (rather than a covered entity), in which case you need to got to www.hipaaps.com and read the information on Business Associate. Question # 200: We are RDTF company we did nerve conduction test on the patient last year in june, now we are asked for the progress note for the patient, but the medical office didn't want to release any information they asked for the form. Can you tell me what kind of form do we need when you asked progress note for the patient for the test which you did last year. Thanks for your help. Answer: Without knowing more about the situation, I am going try to interpret your question. The medical office may be assuming that you are a Business Associate, however, The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. 45 CFR 164.506 states "(2) A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payment, or health care operations, if: (i) The covered health care provider has an indirect treatment relationship with the individual; or (ii) The covered health care provider created or received the protected health information in the course of providing health care to an individual who is an inmate. (3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations: 45 CFR 14.501 defines treatment as " Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." I hope this answers your question. Question # 199: If a patient refuses to sign the consent of treatment form because she does not want us to release the study done to her insurance company but at the same time wants us to bill the insurance, my question would be are are we compliant by refusing her study or asking her to pay for her study up front and letting her bill the insurance herself? thanks Answer: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. Question # 198: I work for an oral surgeon and the staff is not sure about some thing. Are we allowed to call a patients referring dentist to get information such as name,address,phone,birth date,social security number, insurance info and reason for referral. hope you help. thank you. Answer: Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506. Question # 196: Is it a violation of HIPAA to weigh and take a patient's vitals in front of another patient? This happened to me at my Dr's office last week and made me feel really uncomfortable. Answer: This would likely be classed as an incidental disclosure. It should probably be done more privately as it is part of your health information. You should speak to the doctor about feeling uncomfortable in the situation. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards ("best effort") to limit incidental uses or disclosures. See 45 CFR 164.530(c)(2). Question # 195: In regards to HIPPA, what are the affects to FMLA? For example, when an employee needs to supply a doctor's note to cover injury/illness. Thank you Answer: Records and documents relating to medical certifications, recertifications or medical histories of employees or employees' family members, created for purposes of FMLA, shall be maintained as confidential medical records in separate files/records from the usual personnel files, and if ADA is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements (see 29 CFR Sec. 1630.14(c)(1)), except that: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and (3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request. Question # 194: Where can I find HIPPA guidelines that affect the way the Medical coder does his or her job? Answer: If you go to the website at: http://cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem11 you can downlaod a PDF file with the final regs. Question # 193: In the event a business associate does not carry the credit card requested to purchase the hippa software, what other alternate payment method do you accept? Answer: We are in the process of getting set up to accept checks on HIPAAps.com. But for now, a check or money order may be sent to: HIPAAps, C/O D. Begley, Pres., 5115 Excelsior Blvd., St. Louis Park, MN 55416. With the check/MO, send information such as: Name, address, and phone number of the Business and the name of a contact person and an email address, plus any details that are pertinent so we can look you up on the web site to be sure you are set up correctly. Question # 192: How does the HIPAA privacy law affect FMLA? Answer: FMLA (Family and Medical Leave Act) is a Labor Law. The only overlap between the two is that HIPAA deals with the privacy of medical records, which may be needed in the process of applying for leave under FMLA. Question # 191: If an employer has an employee on workers compensation who is going to therapy for a work related injury, is the employer able to call the therapy department and change the therapy appointment schedule that has been set up for the employee. Answer: I really can't answer this question. Why would the employer want to change the appointment in the first place? Is the employee still on the job? Question # 190: THERE HAS BEEN SOME CONFUSION REGARDING THE BUSINESS ASSOCIATE AGREEMENTS LATELY.WHILE I UNDERSTAND THAT DOCTORS ARE NOT 100% OF THE TIME BUSINESS ASSOCIATES,I SEE ON THIS WEBSITE THAT PRACTICE MANAGERS ARE NAMED AS BUSINESS ASSOCIATES.ALTHOUGH "OVER-KILL" I MAILED THESE AGREEMENTS TO THE INDIVIDUAL DOCTORS/PRACTICES AND NOW THEY DECLINE TO RETURN THE AGREEMENTS. PLEASE ADVISE. I WANT TO BE SURE THAT THESE OTHER PRCATICES ARE COMPLYING AS WE ARE. THANK YOU!!! Answer: A Business Associate, in general, is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use and disclosure of individually identifiable health information. Business Associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business Associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Persons or organizations are not considered business associates if their functions or services do not involve the use and disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity. However, The Privacy Rule permits a covered entity to use and disclose protected health information for treatment, payment, or health care operations. For treatment purposes, the Rule generally allows protected health information to be shared without restriction. The definition of "treatment" incorporates the necessary interaction of more than one entity. In particular, the definition of "treatment" includes the coordination and management of health care among health care providers or by a health care provider with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another. As a result, covered entities are permitted to disclose protected health information for treatment purposes regardless of to whom the disclosure is made, as well as to disclose protected health information for the treatment activities of another health care provider. Question # 189: Do workmens compensations companies fall into the covered entities of HIPAA? I was informed by an employee at NationWide/Workman Comp. Div. that they are not required to follow HIPPA quide lines. As far as I can tell, from reading who is effected, they could be required to follow HIPPA rules. Answer: The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs: - Coverage only for accident, or disability income insurance, or any combination thereof. - Coverage issued as a supplement to liability insurance. - Liability insurance, including general liability insurance and automobile liability insurance. - Workers’ compensation or similar insurance. - Automobile medical payment insurance. - Credit-only insurance. - Coverage for on-site medical clinics - Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits. Question # 188: My employer is requiring me to have one of my family members doctor fill out FMLA paperwork in order to approve my time off to care for this person. Is this something that would fall under HIPPA? Thanks. Answer: Employers are not covered entities under HIPAA. However, Your employer would need to know the reason you are taking time off work to care for this individual. Question # 187: Will not give my name.. But there is an entity (Tioga Nursing Facility in Waverly New York) that is under the GHS (Guthrie Healthcare Facility from Sayre Pa), that are under the same HIPPA regulations and the TNF is not following the HIPPA regulations.. There is swearing in front of the residents, sexual harrassment, breach of confidentiality and just plain rude behavior.. The residents can not leave the area as they are placed around the nurses station and the nurses give report when everyone can hear.. Answer: Is it possible that you could talk to the TNF Security Officer and explain what you see happening? The Security Officer's job is to correct this kind of a situation. Maybe he/she doesn't realize thses things are happening. Question # 186: We deal with an outside finance company for our dental patients that provide financing for treatment done in our office. Do the HIPAA laws place any restrictions for a person who applies for this credit to apply towards treatment of a spouse. For example, information on the spouse who is receiving the treatment will need to be available to the spouse who has applied for the credit. The slip that needs to be signed has not only financial information on it, but also the treatment that was done. Thank you. Answer: The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. Question # 185: We notify patients, when they are in the office, of appointments that are needed for other members of their family. With the new Hipaa laws, are we now limited to disclosing only children's information or can we inform a husband that his wife is overdue for a cleaning? Thank you. Answer: The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 184: Is it still permissable under HIPAA regulations to use deidentified data that has been previously collected for clinical purposes as research data? (After obtaining IRB approval, of course). Or, is it necessary for the patient's to have signed a consent beforehand? Answer: Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). A web site with more information on research rules, etc. can be found at: http://privacyruleandresearch.nih.gov/pr_02.asp Question # 182: I WORK AT AN ELDERLY APARTMENT COMPLEX AND MY RESIDENTS PUT OBITUARIES UP ON THE BOARD TO NOTIFY OTHERS, OR THEY MAY PUT A NOTICE UP LETTING OTHER RESIDENTS KNOW THAT A FELLOW RESIDENT IS IN THE HOSPITAL. HOW MIGHT THIS AFFECT US. Answer: I'm not sure if this answers your question, but I hope it helps. The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure. Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. See 45 CFR 164.502(a)(1)(iii). In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances. However, each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances. Question # 181: I AM A MANAGER OF AN ELDERLY APARTMENT COMPLEX THAT FOLLOWS HUD AND LIHTC GUIDELINES. WE ARE REQUIRED TO VERIFY BY 3RD PARTY MEDICAL EXPENSES, LIFE INSURANCE POLICIES ETC. HOW WILL HIPPA AFFECT THIS PROCESS? Answer: I'm not sure what all you are wanting information on. However, maybe this will answer some of your questions. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of "payment" at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. Question # 180: MY EMPLOYER WANTS TO KNOW WHAT THE PROCEDURE FOR GIVING INFORMATION OVER THE PHONE IS AND WHAT HIPAA ALLOWS. FOR EXAMPLE : OUR OFFICE RECEIVES CALLS ALL THE TIME FROM PATIENTS AND THEIR SPOUSE'S AND CHILDREN STATING THAT THE PATIENT DOESN'T OWE ANY MONEY AND THAT THE PATIENT DIDN'T SEE THAT DOCTOR ON THAT DAY.I NEED TO KNOW WHAT WE ARE ALLOWED TO TELL THE PATIENT THEIR HUSBAND OR WIFE AND CHILDREN.ARE WE ALLOWED TO SAY OR VERIFY THAT THE PATIENT DID SEE THE DOCTOR AND WHAT THE BALANCE IS?CAN WE GIVE INFORMATION TO OTHER FAMILY MEMBERS? PLEASE ADVISE THANKS Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 178: i wanted to know if i took my perscription and dropped it off and when i picked it up and after i took them i started feeling sick what should i do? Answer: This is not a HIPAA question. Sorry. Question # 177: WHO IS THE PRESIDENT OF HIPPA AND IN WHAT YEAR DID IT GO INTO EFFECT. Answer: The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 61 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. HIPAA reuired the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privact legislation within these years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHA developed a proposed rule and released it for public comment on November 3,1999. The Department received over 52,000 public comments. The final regulation, the Privacy Rule was published December 2, 2000. In March 2003, the Department proposed and released for public comment modifications to the Privacy Rule. The Department received over 11,000 comments. The final modifications were published in final form on August 14, 2002. All covered entities, except "small health plans" must be compliant with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply. Question # 175: My minor daughter (13) recently went to the orthadontist and I was appauled when the dentist refused me to be in the room with her. Was he correct is asking me to leave? Does and can my daughter need to sign a "consent form?" Is this part of the HIPPA bill, not to allow parental knowledge of their childrens medical information? Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives. Question # 173: How do you handle phone calls,Voicemail or answering machines, and need to leave a message re: an appointment or surgery for that pt? Answer: Please see the answer to Questions #119. I think it will give you your answer. Thanks. Question # 172: How do I know if our office will be affected by HIPAA? We don't submit claims electronically, and we have 9 employees. with The doctors its 12. Please let me know Thank you, eileen Answer: HIPAA applies to (1)health plans; (2)health care clearing houses; and (3)health care providers, regardless of size, who electronically transmits health information in connection with certain transactions. "The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf." If none of these pertain to your office and you are still not sure if you are a covered entity, go to the website http://www.hipaaps.com and look at the description under 'What is HIPAA' and 'Who if affected?' Hope this helps. Question # 171: when a patient comes in is it allowable at the front desk to ask if their birthdate is such as such. address is correct, marital status and who their employer is. JUDY Answer: What do you need the information for? Are you working in a medical office? If you are gathering information for a doctor and talking to the patient where it is reasonable that the information is confidential, yes, you can collect information that will be helpful to the doctor who will be providing health or medical care. Question # 169: where can I find PHI report form Thank you Answer: What kind of PHI report form are you looking for? If you are a member of HIPAAps.com, check the Forms section and see if the form you need is there. If it isn't, email me back with more information. Question # 168: who pays the penalties the employer or the violator? Answer: Penalties for what? The covered entity is ultimately responsible when a violation occurs. However, how he handles the person who constituted the violation is at his discretion. Does this answer your question? Question # 167: Hello, I am a massage practitioner in MD. I do NOT take insurance, credit cards, or do any processing by comupter. Any clients who request their files must do so at the time of their visit. All clients recieve hard copies only, I do not do any transfers over the web. Does HIPAA apply to me? THank you, Karen P.S. If you have already answered my first email please disreguard this one. Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. If none of the above fits your description, you may not be a covered entity and you probably only keep your client information secure as a courtesy to your clients. Question # 166: I work at a Hospital and release infomation to life and health insurance company's. What is the verbage that I need to see in the authorizations I receive. What must be in there. Can you send me an acceptable outline or copy of an authorization you created that I can just put are name on? Please help asap or call me 619 299-7513 or fax me a copy of an example. 619 229-7539. Thank you very much. Adrina Morton Answer: Adrina, Is the information you release for claims payment? HIPAA says "A covered entity may use and disclose PHI for its own treatment, payment, or health care operations activities." and "Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment to be reimbursed for the provision of health care to an individual." Obtaining "consent" (written permission from individuals to use and disclose their PHI for treatment, payment, and health care operations (TPO)) is optional under the Privacy Rule for all covered entities. The content of the consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. I hope I have interpreted your question correctly and that this answers your question. Question # 164: In the manual, how do I edit and or delter items that do not pertain to our company? Thank you, Kelly Young Reality Systems 636-498-1805 Answer: As you go through the process of setting up the company on HIPAAps.com, and you go through the library, you can choose the documents you want for your manual. Once all documents are chosen, you can view, edit and print each document using the document manager. Question # 163: I recently took my 17 year old son to a specialist who ordered many tests ,and instructed me to call his office in two weeks to get the results of these tests. When I called the office, I spoke to a nurse, told her who I was and that my son was underage and I had been instructed to call the office for results of tests. I was told that I was not able to receive any information on my son's tests unless I had "power of attorney". Is this correct, when the child is a minor Answer: The Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information. You should not need a 'Power of Attorney' - only proof of your relationship with your son and that you are his personal representative. Question # 162: A worker in a call center answers a call, the call requires the worker to ask for health information. The call is recorded, is the call recording itself covered? The recordings are digital files. Answer: Is the call center a covered entity? I'm not sure what you are asking. Are you asking if the recording is covered by HIPAA? As with any health information, the information on the recordings needs to be protected from unauthorized personnel. Question # 161: My daughter is 20 years old. She is currently covered under my medical insurance w/Cobra coverage. She has been on her job almost 2 months and signed up for their group health insurance, which will go into effect May 1, 2003. I was going to drop her from Cobra coverage the end of April, but am not sure this is the best thing to do. My situation is this...my daughter has been having alot of pain and discomfort in her right knee (had surgery on same knee 6 years ago). She went to the doctor (4/25/03) and has been referred to an orthopeadic doctor for follow-up. Her appointment with the orthopeadic is May 7, 2003. Question #1...Will the new insurance pick up expenses where the cobra insurance ends, or should the cobra insurance be extended until the knee problem is resolved? Question #2...The new insurance company (UnitedHealth) told me that this would be considered a "pre-existing condition" unless the orthopeadic doctor's diagnosis was different from the original diagnosis. Is this correct? Answer: I really can't answer this question. You need to ask these questions of the Insurance agent with whom you have coverage. Question # 160: Do you cover other areas that are not health related? I am inquiring about Motor Vehicle Records. Can an Insurance agency get MVR's on one of their customers employees and release that information to the customer, or does the customer have to get the information? If you can not answer this question can you please direct me to someone that can answer this. Thank you for your assistance. Answer: No, this is not a HIPAA question. Hipaa does not cover Motor Vehicle records. I'm sorry but I do not know the answer to your question. Question # 159: I am a patient care volunteer with our local Hospice Organization. Our duties involve going into a patients home and sitting with them for a few hours at a time. We were always given a face sheet before we went to a new patient which told us a diagnosis. This also gave us information on whether or not the patient had a communicable disease like HIV, TB, or Hepatitis that ran concurrently with the primary diagnosis. Now we are not given any information. Don't we fall under a right to know? Under certain circumstances a volunteer might not want to be exposed to one of these diseases. Answer: You are considered part of the workforce of the Hospice Organization even though you are a volunteer. The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information. The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care. HIPPA was not meant to inhibit caregivers from having information they need to care for the patient, and as a part of the workforce, you have the same responsibilities for the privacy of the PHI as the covered entity. Question # 158: I currently have Horizon Blue Cross Blue Shield of New Jersey. I'm upset that they have they have my SSN number printed on the card. If I was to loose my wallet then my SSN number is exposed. Do you know if this is covered under HIPAA? Thanks Jim Answer: In this case, your SSN is your insurance identification number. No, this is not covered by HIPAA. However, when someone comes up with another means of identification, insurance companies will probably not us SSN's for ID. It is rather complicated at this point. Question # 157: I work at a 911 dispatch center. We use voice paging, and also some agencies have pagers where the initial information is sent to them. Address, nature of call, and a brief text like "25 y/o male difficulty breathing." Then once the units go enroute to the call they get updated information, such as, repeat of address and "25 y/o difficulty breathing, has history of asthma, is currently conscious and breathing." This is our centers policy, and this is how the fire departments and ambulances prefer their information. How does this effect us (and the responders)? What can (and can't) we air in these 911 situations? Thank you! Answer: Please see the answer to Question #68. If you are not a covered entity, you may be considered a Business Associate of your local medical institutions. Do you use actual names or just minimum necessary information during your broadcast? Read the answer to Question #68. In the meantime, I will do more research on this question. Thanks. Question # 156: I am a practicing massage therapist in MD. I do not do ANYTHING electronically. Any clients who want a copy of their files gets a hard copy and must request it at the time of their appointment. I take no insurance or credit cards. Am I still required to have the HIPAA package? Answer: Please see the answer to Question #152. I think this will also answer your question. Thanks. Question # 155: I work in research and would like clarification on who is responsible for the HIPPA Consent for research subjects. We are receiving a lot of changes to our HIPPA consent from sponsor companies, and have concerns with the wording. From what I have read and understand is that they are not a covered enities when it comes to a research study. It is the Principal Investigator and site's responsibilty with the confidentiality of the patient's data that is being collected and used. That the sponsor is covered under the Investigator. Answer: For Health Research, a covered entity can use or disclose PHI for research without authorization under certain conditions, including (1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; (2) for activities preparatory to research; and (3) for research on a decedent's information. The Privacy Rule permits covered entities to disclose PHI, without authorization, to public health authorities or other entities who are legally authorized to receive such reports for the purpose of preventing or controlling disease or injury; reporting vital events (e.g. births or deaths); conducting public health surveillance, investigations, or interventions; reporting child abuse and neglect; and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological, and medical devices [45 CFR 164.512(b)]. I hope this helps. Without knowing the type of research you are doing, I have to give you a general description of the law. Question # 154: My Fiance' and father of my children had recently been murdered. I am the Benefiary of his life insurance. The Insurance Co. requires Me to send in his hospital reports. The hospital tell me I need the next of Kin to sign an authorization. I can not obtain this, he was not very close with his relatives before his dealth so it difficult for me to get this. What could I do to obtain these records. Everything was in my name and my fiance's name. bank accounts, bills for which we did reside together. I am at a standstill. Answer: This is an unfortunate situation and I wish I could help you, but this is a legal question and I do not have the expertise to answer it. Please see an attorney and explain the situation. Question # 152: We have a massage therapy school and clinic that is open to the public. We do handle client files but do not work with billing or insurance. All services are offered on a cash basis. Do we need to be compliant with HIPAA? Answer: A covered entities are: "Health plans; health-care clearing houses; and health care providers who transmit information in electronic form in connection with certain transactions." If none of these descriptions fit you, chances are you are not a covered entity and would not, by law, need to be compliant with HIPAA. However, you might study the HIPAA rules pertaining to client Protected Health Information (PHI) and, for your protection, apply those rules. Question # 151: We are an opthamology office that dispenses contact lenses to patients, the question is: Do we need a signed release form for the patients relatives or friends to pick them up if the patient themselves is unable? Answer: Are you a covered entity? It would be prudent to have a signed release unless you are positive the lenses will be going to the person they were meant for. At least document who picked the lenses up and place the documentation in the patient's file. Question # 149: Can the spouse of a patient make an appointment for the patient at the patient's physician's office and can the spouse be given the information pertaining to date, time and any pre-appointment information necessary to be done before said appointment? Also, can a signed consent form be put in one's medical record stating that the spouse has permission to receive any information that the patient has a right to? What are the requirements to make this legal? Thanks. Answer: HIPAA does not eliminate common sense. You husband may have to sign an authorization or at least talk with the clinic, but this should not be an issue. The clinic probably has an authorization to use for this purpose. If not, we offer a library of sample forms on our web site at HIPAAps.com for our members. Question # 148: Can a immediate family member obtain medical records, when a patient has died suddenly. Answer: The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative. First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative. Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representative’s authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure. Question # 147: When our family members or anyone, allowed to have or view medical records. Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives. Question # 146: When "testing" a patient, should there be some way to protect the patient's identity? Meaning, by instead of closing a door then do a test, can there be a drape of some sort to block the patient from being seen as passer-byers walk by? Answer: I'm not sure what kind of testing you are doing, but you have the idea on the main point - the patient's privacy. What ever makes sense as long the patient's privacy is protected. Question # 145: I recently called my health insurance company to request information on outstanding claims for my son that I submitted. The claims have been in review for many months now, and since the time that the claims were filed my son turned 18. My son is currantly not available for me to contact. They informed me when I called and asked questions concerning these prior claims that my son has turned 18 and so they cannot give out any claim information to his mother, even though I, his mother submitted the claims before he was 18 and the insurance company took many months to review them. I then talked to a manager who said the same thing, and then changed his mind and said if my husband signed a release that they could release info to me his wife for my son that they could. This sounds crazy. I also asked for a copy of these so called privacy laws concerning this situation and he claimed that he couldnt fax those laws to me. Now he has called me back and he's not sure if he can disclose any information on my sons claims from before he turned 18 without his consent, but is trying to find out. Secondly from reading some other peoples questions, it looks like the company should have sent out to all their clients information and a form to sign stating that they understand these new laws. Nothing has ever been sent to us from this insurance company. Does this violate the law and if so who do I report this to. Thank you. Answer: The individual who is the subject of the protected health information can exercise all rights granted by the HIPAA Privacy Rule with respect to all protected health information about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law. Generally, the parent would no longer be the personal representative of his or her child once the child reaches the age of majority or becomes emancipated, and therefore, would no longer control the health information about his or her child. Of course, any individual can have a personal representative – which may include a parent – who can exercise rights on his or her behalf. Question # 144: As a network administrator, if you go in and design or work on a network for a company that is under the HIPAA standard, is there anything that needs to be done for me to work on that network? If so, could you send me all the info? Answer: Working on network computers that contain Protected Health Information (PHI) makes you a Business Associate. You need to have a BA contract with the company(ies). The HIPAAps.com website will give you the information you need and has all the information you need to become HIPAA compliant. Thanks for your question. Question # 143: It is past the HIPPA deadline date and the Orthodontist I work for is not HIPAA compliant in any way. As a matter of fact he thinks it is nothing but a joke. We have tried to get him to get with the program, but no luck. For him, rules are for other people. I'm not sure what to do, any suggestions?? Answer: Direct him to our What is HIPAA? page. You could also print out that page, highlighting the paragraphs that describe the penalties that can be imposed for non-compliance, and leave it on his desk. Depending on the type(s) of violations, he could be hit with fines, or even a prison term. (How does he look in an orange jumpsuit?) Adapted from the glossary: [HIPAA] also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000. The penalties for non-compliance with the transactions and code sets is $100 per occurance up to a maxmimum of $25,000 per standard per year. The civil penalties for covered entities that violate the privacy standards are $100 PER incident, PER year, PER standard violated, to a maximum of $25,000 per person (patient). The federal criminal penalties for violation of privacy are: Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses. Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. I don't think he'd find it much of a "joke" if he were investigated and started seeing how big the fine was getting! Simply not having the patient files in a secure place would be fined at $100 per file. Not so bad, until you realize you have (for example) 500 patient files- that's $50,000! If he doesn't have a Notice of Privacy Practices in place, that's $100 per patient... and the fine's up to $100,000. Hopefully you'll be able to convince your boss that HIPAA is serious business, before he finds out the hard way! Question # 142: If you are the responsible party are you allowed to call and find out about the charges that is applied to your spouse, and children? what if you are not the resposible party, but are listed under the policy are you allowed to call and ask about the charges that was applied to your spouses acct? if you are under 18 years of age, does your parent have the right to call about the charges to your acct under the hippa law. Answer: If you are legally eligible to receive this information and can document that and your identity, the clinic should provide you the information. If you can't, then the clinic cannot release it to you. Under HIPAA, the clinic has a responsibility to protect the privacy of their patients and must follow the rules. Question # 141: Is a sign in sheet o.k.? If a family member or friend calls looking for a patient, can we pass the phone to the patient? Answer: Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii). If you pass the phone to the patient, it would be up to the patient to keep any medical information to a minimum. Question # 140: I manage a 911 answering center who dispatches fire depts. and ambulances. Would our operation fall under "covered entity" as we broadcast over the air the call type and location of medical emergencies? Often times we will use the callers name or residence name and the type of emergency, (ie: diabtic emergency, Smith residence, 123 Main St etc.) If we were to refrain from saying the name of the caller, would we then fall into compliance? We also fax time response data to hospitals after ambulances arrive so that they can complete their run forms. This information icludes, name, time of dispatch, arrival etc. Would these faxes violate the regulations? If they were faxed to a secured room would that make a diference? Thank You. Answer: The HIPAA Privacy Rule covers "(1) Health Plans; (2) Health care clearinghouses; and (3) Health care providers who conduct certain financial and administrative transactions electronically." It appears that you are collecting Protected Health Information(PHI) on a patient and that you are using electronic transactions, which would make you a covered entity. Therefore, you would need to be HIPAA compliant. The easiest way to become compliant is to go to www.hipaaps.com. All the forms, procedures and information is on that site plus procedures to train all employees. And, yes, the fax machine should be located in a secured room where only the people that need the information would see it. Question # 139: Are there any identifying stickers, dots, or other methods we can use for the front of a patient's chart to indicate a health alert other than a sticker naming the health alert. Currently, we are putting the health alert inside the pocket chart so that it is not visible from the outside; however, there has been an incident where the information was missed. Is it within the HIPPA policy to put a 'colored' sticker alerting the staff that there are health alerts to be alerted to. Thank you. Answer: As far as we can tell, the use of (for example) an allergy sticker on the folder probably falls under the "reasonable use" provisions of the law. "Reasonable use" includes things like calling a patient's first name in the waiting room to let them know the doctor is ready to see them; while it does violate absolute privacy to a small degree, it's a necessary part of clinic operations. The acceptability of the sticker might depend on how specific it is, how large it is, whether other patients are likely to see it, etc. If it just says "allergies" or "drug allergies", it's probably fine; if it's more specific, and visible (easily read) to other patients, that could be an issue. The important thing is for your office to document their decision, either way. If you would like to continue using it (and it does seem a reasonable thing to do in a patient care situation), you should document the decision and explain why you think it would NOT be a violation to do so. Might also be good to put in a brief explanation of why they have chosen to use the sticker- studies show fewer mis-prescribed drugs, or whatever the deciding factor was for them. (With HIPAA, it's generally better to overdocument than underdocument!) If, at a later time, you do find out it is a violation, then they can change the procedure and remove the stickers, or go to a variation on the theme, such as using a blank, color-coded tag on the outside of the folder, with the allergy warning inside. (Obviously, documenting the change in policy, date undertaken, and date completed.) Having documented the original plan and reasoning for it should theoretically be enough to protect them from any possible HIPAA fines, as they had obviously made a good-faith effort to comply and thought out the decision carefully beforehand. Question # 138: What are the 19 HIPAA Identifiable Health Information fields? Answer: This information is available in our glossary, under "Protected Health Information". I have included the definition below. Protected Health Information (PHI) Individually identifiable health information: Except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or Transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and Records described at 20 U.S.C. 1232g(a)(4)(B)(iv). PHI includes references to not only the patient, but also their relatives, employers, or household members. The items that constitute PHI: Name Address Phone Numbers Fax Number Dates (birth, death, admission, discharge, etc.) Social Security Number E-mail Address Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate or License Numbers Vehicle Identifiers and Serial Numbers, including license plate numbers Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers, including finger and voice prints Full Face Photographic Images and any comparable images Any other unique identifying number, characteristic, or code Patient's Medical History Exclusion for Employment Records The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. Question # 137: I would like to know whether HIPPA requires healthcare agencies to disclose information without an authorization to parents and/or guardians when the request is made via phone or in person without reviewing the record? Is an Authorization to Release Health Information valid when a person's name and their agency is listed on the form and the street address is listed on the address field? Answer: I'm not real clear as to what you are asking, but let me give it a try. HIPAA does not require disclosure it requires protection. A healthcare clinic has a responsibility to not release protected health information without an authorization. And it should at least confirm the identity and legal authority of the person requesting that information. A healthcare clinic can require their own specific authorization. I am not sure what you are asking about the form otherwise. Question # 136: How long should we keep patient information? Does it depend on what kind of information it is? Answer: Everything I've seen in the HIPAA privacy and security regulations has referred to keeping data for six years after the last use. So far as I've been able to find, it's the same for all materials. The specific references are to patients being able to request information for up to six years after their last visit. References: 45 CFR 164.528 Accounting of disclosures of protected health information. Question # 135: I am the medical unit manager for telephonic workers Compensation Case Managers. We by state law have to have a Form 25C completed by the injured workers to access their medical information. Now we are being told by many medical groups that they can not give us any information even a next appointment date due to HIPPA. Is this correct? Are we not exempt? Answer: The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A). For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker. The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization. Question # 134: I recently took my 4 year old daughter to the dentist for the first time. They told me that I could not go back with my daughter during her care because of HIPPA and OHSA. I am shocked to hear that from several staff members that it was because of HIPPA. I think it should be against the law to allow a minor child to receive medical/dental care without the parent being there to monitor the treatment. How does HIPPA stand on that issue? Was the Dentist office incorrect in telling me that information? Needless to say, my family will not go back to that office. Answer: HIPAA does not address this situation at all. Sorry. Question # 133: I work at a dental office. We do not have computors ,we do everything by hand do we have to follow hippa laws. Answer: The HIPAA Privacy Rule covers health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities are bound by the new privacy standards even if they contract with others - called business associates - to perform some of these essential functions. If none of your transactions are done electronically either by your office or by a business associate, you may not be a covered entity. However, very shortly, as I understand it, Medicare will not accept any billing other than electronically. It is just a matter of time that insurance companies will follow suit. To find out for sure if you are a covered entity or not, take the test on HIPAAps.com. Then check out how easily you can become compliant through that web site. It is better to become compliant before you have a complaint. Question # 132: Im went to my Dr.the other day and they said they HAD to make a photocopy of my drivers license or they would not see me.I said no way.You can look at it and verify its me.I won for the moment but next time they would not see me.I told them any office person or night cleaning person could take it from my file and use it for identity theft which is the number one crime in America today!Every law enforcement dept. will tell you not to let anyone photocopy your license for any reason.Some people don't even have a license for many reasons.Can you shed some light on this?Thanks in advance! Scott Russell Answer: Apparently this office has adopted this as part of their HIPAA policies and procedures by requesting confirmation of your identity. The request for a copy for their file is to document your identity. I could say that HIPAA requires this office to protect ALL patient data and if your privacy is violated the office is liable. That probably doesn't satisfy you. Why not ask if there is some other form of identification that you can use instead of your license. Question # 131: i am the office manager at a dental office. i have patients that need to premedicate before appointments. my question to you is 1. by law, who may i leave the reminder to premedicate with if i do not speak to the patient directly? 2. can my office write up a consent form that the patient may sign indicating who i may leave a premedicate reminder with according to the patient? Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Having the patient sign a consent form indicating who he/she would prefer you leave a message with is a good idea also. Question # 130: Is there a price bracket for practices to charge for copying your chart? We have been requesting a particular practice to release copies of my wife's file for months and they will not cooperate. Today we went in and asked to fill out another authorization, the receptionist stated where she was only releasing the records to me and not to another doctor she had to charge me $15.00 for coping and then an extra $0.50 for each page she copied (the way she said it sounded like she said $15.50 per page, we are not really sure which way she meant). We stated no way. She said if we had it copied and sent to another doctor it would have been free, though. Is that legal? Answer: The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information. See 45 CFR 164.524. The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. Prices are set by the covered entity and not by HIPAA. Question # 129: Can non-profit organizations recieve any government relief fund to assist in the transition? Answer: I cannot answer this question. You will need to check with the government relief agencies for an answer. Sorry. Are you a covered entity? Question # 128: When changing from one doctor to another, I was told by my old doctor (Dr. B) that she could not release the full contents of my file to my new doctor (Dr. A), because some of it was created by another doctor (Dr. C) I saw before going to Dr. B. Dr. C says they no longer have my file. Dr. A needs to know my full history; is it true that Dr. B can't release this information? Answer: According to the Guidance Document on HIPAA privacy and security, produced by the US Department of Health and Human Services, Office for Civil Rights (the organization in charge of enforcing the HIPAA privacy and security regulations): "the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. We have a copy of that section of the guidance document online at: http://www.hipaaps.com/dec2002/04-minimumnecessary.html; this particular item is the 5th question from the bottom. (The full guidance document can be found in many places, including http://www.hipaaps.com/dec2002/01-Introduction.html and http://www.hhs.gov/ocr/hipaa/privacy.html.) The legal definition of "treatment" can be found at 45 CFR 164.501: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." It sounds like your old doctor's office has either misunderstood this portion of the law, or is erring on the side of being overly cautious. If they're still giving you trouble, it might help to print out the Minimum Necessary portion of the guidance document and highlight the question specifically dealing with this issue. You may want to include the URL for the official copy of the document, http://www.hhs.gov/ocr/hipaa/privacy.html. Question # 127: with regards to state subpoenas issued by attorney's, must a custodian of records comply with the subpoena as long as proper notice was sent to patient's attorney (notice to consumer), and not require defense counsel to obtain a signed authorization from the patient? Please clarify!! Answer: That is a great question, but it calls for a legal interpretation which we can't give. You need to check with your legal counsel. Or you could also refer to the site www.HIPAAps.com Legislature Library for help; 45CFR164.512 sets out the requirements and exceptions for disclosure of records when you do not have the patients authorization. I hope this helps. Question # 126: When patient information is being stored on a network server, what security measures are required by law to guard against hackers getting onto the network and stealing confidential patient information? What types of patient oriented facilities are held to this standard; Nursing homes, hospitals, insurance companies, etc.? Answer: As required by Congress in HIPAA the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who conduct certain financial and administrative transactions electronically. These entities are bound by the new privacy standards even if they contract with others (called business associates) to perform some of the essential functions. When the information is being stored on a network server, the security measures are whatever make sense to keep the information protected from any outside source. The law says the information must be protected, it does not dictate how. The best protection is a good firewall, passwords, etc. I hope this helps. Question # 125: My husband has physical custody of his 13 year old son, who is being treated with Orthodontics/braces. We have a contract account set up with the Ortho office. The biological mother is required by Court Order to pay on this child. When my husband calls the Orthodontist office to ask if they have recieved payment or if the mother has set up payment arrangments, the Office says that they cannot give my husband, the Custodial Parent that information because of the new HIPAA law. Is this correct? Please elaborate. thank you, Laurie Answer: If the child's mother does not pay the bill, is the father liable? HIPAA says: "The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity, to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information." Question # 124: I forgot to include the question about discussing patient information earlier. If the patient is in a group home, can you discuss the patient's information with the home staff (manager, medical coordinator, provider), or does it have to be the legal guardian? Thanks again. Answer: What information? If this is information you need to care for the patient properly and if you do so in a discrete manner, you would be within Hipaa regulations. However, the guardian and/or the personal representative should also be included in these discussions. Question # 123: when i call in for work like when i have the flu or something else. should the boss go telling everyone that your off sick and whats wrong with you? and then go around making jokes about you and your illness while your off sick ?? thank you tracy Answer: This is really an HR problem. If your boss got his information from the HR department, it could be considered a violation. Your boss needs to review the HIPAA regulations such as those on HIPAAps.com. Question # 122: I work for a psychiatrist office. most of our clientel here are developmentally disabled and in group homes. My question is: 1. Can the staff (either medical coordination, home manager, or provider) sign for the patient, if they are not able to sign for themselves since the guardian never comes in or is impossible to be found? 2. If the home staff is unable to sign on the patient's behalf, can we make a copy of the guardianship paper, attach it to the form and fill in the bottom half of the form stating they are mentally incompetent? Thanks hope to hear from you soon. Answer: This sounds like a legal problem as opposed to a HIPAA problem. Each patient should have a legal personal representative who is responsible for authorizing their care if they are unable to do so for themselves. Question # 121: I work for a group of specialists and we have a HIPAA privacy officer. She has come up with multiple forms to have patients sign and recently even a graph for all employees to sign if they have had access to the chart. I feel as though we, as employees of the practice, do not need to sign each time we touch the chart for any reason. Is this really part of the law? Answer: Each covered entity needs to have its individual set of rules for becoming and staying HIPAA compliant. These are the safety rules set up by the group and not directly dictated by the HIPAA laws. If the group feels this is important then the rules need to be followed. Question # 119: I work in a phsicians office and I am on the telephone constantly changing appointments. I am really concerned when I call the patients house and someone other than the patient answers and they ask who I am, and where I am calling from. Am I allowed to give them the name of our practice, and why I am calling the patient? Thank You Answer: A covered entity may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Question # 118: About a month ago my son had some lab work done at a local hospital ordered by his pediatrician. I asked for his lab result and was given some vague answers that I still had answers about. I called the office back and asked them to fax the results to his oncologists office in another city, which they did. I called his primary doctors office back again and asked for a copy of his labs. I was told they didn't have a copy of it which i new was not true since they had already faxed a copy to someone else. I again asked for a copy of the results. This time I was told I had to sign a release at the hospital to find out my child's results. I had already signed a release at the time of the lab so i didn't know why i had to do it again to get the results. i called the 888 number on the HIPPA website. the person i spoke to agreed that i should have access to my son's record. i called the office and asked again and they released my son as a patient after almost 4 years apparently because i questioned this. not only is this unfair to me, but cruel to my son. if they can release info to our insurance company and fax records with only verbal consent, how can they refuse to release lab results to a three year old's mother? Answer: The Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information. Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child. I hope this helps answer your questions. Question # 117: I do not know if this falls under HIPPA or not so here goes. I have a relative that is being taken care of by a family member who aslo has POA. They have 24 hour help and have been doing this care for almost a year. At this time the relative needs to be placed in a long term care facility due to increased confusion, safety, and the phsycial and mental health of the care givers. Here is the problem when the relative is ready to be transported to the facility there seems to be no reason to place them in a long term facility because the confusion clears up. When this relative arrives at the long term care facility, when asked if she will stay the answer in no. At this point the facility will not accept the relative. Is this the result of the HIPPA legislation? Answer: No, I would say this has nothing to do with HIPAA legislation. Question # 116: If a relative (sister) calls a crisis line and asks if you know her sister, are you in violation of HIPAA if you acknowledge the situation - the sister was concerned about her mentally ill sister's living arrangements because the neighbor was making it impossible to sleep - due to noise. Answer: As required by Congress in HIPAA, the Privacy Rule covers: - Health plans - Health care clearinghouses - Health care providers who does electronic transactions In my opinion, a crisis line probably would not fall into these categories. You might, however, be considered a Business Associate (BA) (1)A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. And (2)A person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. You might need a BA contract with the hospital(s) or doctor(s) you work with. Question # 115: My mother is in a county nursing home in Tn. She and my dad divorced several yrs ago. Being mentally/physically handicapped from an accident 50yrs ago, my siblings and I had to sign her divorce papers. She is unable to read and write. She would have no idea what a nurse would be saying in regard to HIPAA. My sister lives close by and has always taken care of her needs. The nursing home personel call one of us when they report falls,need consents for procedures,and for other things of this nature. But when my sister and I tried to find out medications she was taking or to look at her chart, the nurse said according to HIPAA, they could not do this. The nurse called the Dr. and he said it would be ok for them to allow us a copy of her medicines. My mother can't sign papers,read anything or comprehend anything like HIPAA. Doesn't my sister have any rights here? What would be her rights? I have read a lot of the information on your web site, but I am still confused. Please give me any information to assist us in what our rights are when taking care of my mothers needs. thank you Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h) which says: "Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: (i) Except with respect to disclosures under Sec. 164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity." I hope this helps. Question # 114: We have a patient who is under 18. Her Mother has signed all the contracts and is the responsible party, yet has never brought her daughter to any appointments, never called to check on her progress. Her GrandMother has brought her instead. If the Mother isn't available to sign and isn't available for updates, is the GrandMother legally able to sign and receive the updates from the Doctor? Answer: State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h). Question # 113: Dear Sir, The question I am asking is the program PC Anywhere used to transfer files from computer to computer via a modem or TCP/IP connection HIPPA compliant? Some of the other software that I have checked into says they are compliant with 128 bit encryption and transfering files straight to the other computer with no stopping point. PC Anywhere has the same compatibity. With the other programs you can not use it to take control of the PC you are needing to use. The reason is that the work I send to my clients, I print for them. The computers at their locations does not have a internet connection. So I am the only one that can access the computer. If PC Anywhere is not compliant can you please let me know of a program that will give me the same function as what I am needing. Thank you for all information you can provide. Answer: I am not that familiar with PC Anywhere. Probably you should ask this question of the company who owns PC Anywhere. They should be able to enlighten you on its security. Sorry I can't be more help. Question # 112: I work for a chiropractic office and we send out letters to previous patients.The letters are offering the patient a complimentary exam and free adjustment.Are these type of letters within HIPPA guidelines? Answer: Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies. The HIPAA Privacy Rule permits the use of clinical information to the extent it is reasonably necessary for these communications. Question # 111: I work for a third party appointment confirmation service exclusively for dentists. Our firm has signed the appropriate forms for HIPPA compliance. We transmit lists of client names, appointment dates and phone numbers via a secure FTP site and encyrpted e-mails. Does this comply with HIPPA regulations? Do the e-mails have to be encrypted, given the limited information on them? Answer: To whom do you send the client lists? To the appropriate dentist of the patient? The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresse