HIPAA-Protection of Patient Privacy
82
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. The federal law originated in 1996 and protects the privacy of a patient's personal and health information. The purpose of HIPAA is to keep medical records and other individually identifiable health information completely private. HIPAA gives patients increased control over their health information.
You've probably signed plenty of HIPAA forms. HIPAA is very important to health care providers of all specialties because patient privacy is a top priority. Doctors, dentists, optometrists, and other healthcare providers are required under HIPAA to provide each patient with a Notice of Privacy Practices at the time of their first visit. Patients must provide a signature, agreeing that they have received a copy of the HIPAA privacy practices. A signature is only required once, no matter how many times you visit the provider.
What information does HIPAA protect?
Information protected by HIPAA includes anything oral or recorded in any form or medium. All information, whether in the past, present, or future, is safeguarded. Physical and psychological health conditions, provisions of care, and payment information are all protected. Examples of protected health information:
- Patient's name, address, birthdate, age, phone and fax numbers, and email addresses
- Medical records, diagnoses, lab work and test results, medical images, and prescriptions
- Billing records, claim data, referral authorizations, and explanations of benefits
- Electronic records, paper records, and oral communications
Healthcare providers are obligated to carefully manage and protect patients' personal information. Healthcare providers are allowed to use patient information for treatment of the patient, payment of bills, and healthcare operations, such as audits, quality improvement, teaching, and government reporting.
Access to healthcare information by healthcare providers is based on "need to know" and "minimum necessary" principles. Healthcare workers should only access information if it is necessary for providing the best patient care. When information is accessed, only the minimum amount of data necessary should be retrieved. Information can be communicated between healthcare providers, such as nurses, doctors, pharmacists, and lab technicians, as long as they are involved in the patient's care. Information may also be communicated to family and friends of the patient if they are involved in the patient's care, unless a patient has objected to sharing personal information. Parents, guardians, and medical powers of attorney can be spoken with as if they are the patient.
What are the rules about disclosing personal information?
Under HIPAA, personal healthcare information can be released to law enforcement without patient permission under certain circumstances. These include:
- Court orders and subpoenas
- Identifying suspects, witnesses, or missing persons
- Reporting about victims of crime, neglect, or abuse
For any other uses, an authorization form must be signed by the patient prior to the release of information. There is special protection for:
- Psychotherapy notes
- Drug and alcohol abuse treatment records
- Research records
- Communicable disease information
- HIV/AIDS status
- Genetic testing
- Evaluation and treatment of mental health disorders
Mental illness medical records have additional safeguards under the law and are treated differently from other types of medical records. Patients being evaluated and treated for mental health problems have the option to be excluded from the facility directory. The facility directory is like a roster of all the facility's patients. HIPAA allows patients with mental health disorders or substance abuse problems to be treated and or admitted under complete confidentiality. Victims of violent crimes and abuse are also excluded from the facility directory, giving them complete anonymity.
HIPAA requires health care workers to protect patient privacy. Employees who do not comply can face disciplinary action. Privacy violations can occur in many different ways. A nurse and physician discussing patient information in a crowded elevator is a verbal violation of patient privacy. Faxing personal health information to the wrong number is another example of a privacy breach. Criminal penalties for wrongful disclosure can be as high as $250,000 and up to 10 years in prison. Healthcare workers are educated regularly on HIPAA guidelines.
In a world where identity theft is unfortunately common, access to patient information must be highly restricted. HIPAA prioritizes patient privacy. So the next time you're signing pages upon pages of forms at the doctor's office, remember that HIPAA is very important because it protects your irreplaceable personal information.
PrintShare it! — Rate it: up down flag this hub
Comments
HIPAA can be confusing and frustrating, but it's important because it protects your personal information. You should only have to sign the form once though, so it sounds like there's something strange going on at your office. I'd look into that. Thanks again for reading!
Is it a HIPPA violation to have a sign in sheet with the patients first and last name on the sheet?
Stacey-I will look into this and let you know what I find out. It seems to me that this would be a violation, and most offices would be found guilty. Another thing I don't like is when the nurse or tech calls out your full name when it's your turn to come back. That also seems like a violation of privacy. Anyway, I'll do some digging and get back to you!
Stacey-This is what the American Medical Association says about your question:
May a physician use a sign-in sheet? Call out names in the waiting area? Place charts outside a patient's room while the patient is waiting to see the physician?
Yes. To the extent these activities result in other people learning a patient's name or other information, the disclosure would be considered "incidental" to the physician's treatment of the patient, and therefore acceptable under HIPAA.
Physicians should take appropriate precautions to limit the amount of information that might be incidentally disclosed in this manner. For example, physicians should not ask patients to list "reason for visit" on a sign-in sheet. With respect to placing charts outside of an examination room or the patient's hospital room while the patient is waiting to see the physician, the physician should take precautions such as turning the front of the chart towards the wall so others do not have the opportunity to read the front page while walking past the room.
Some offices use sticker labels that can be pulled off after you sign in, which is much better than leaving a sign in sheet out on the desk in my opinion. If you feel your privacy has been violated in any way by a health care provider, the Office for Civil Rights can assist you at 1-800-368-1019. I hope this answers your question.
Is it a violation of Hipaa to call a patient by their last name in the waiting room. For example it I have to call in Denise Jones, should I say Denise or Mrs. Jones. I have a hard time calling older or elderly people by their first name. Does anyone know if this is a Hipaa violation?
Hi Jenn- Calling a patient by their name in the waiting room falls under the "incidental disclosure" rule highlighted in the previous comment. It seems wrong to call out a person's full name, but according to HIPAA, it is acceptable. Of course, there's nothing wrong with using only the first or last name when calling patients from the waiting room. In fact, I think it's much less revealing to call the person's first name only. Hope this helps!
Thanks for the informative hub. Love your dog avatar! He (or she) looks like a sweetie!
Thanks for reading Peggy. He is a sweetie but a rascal sometimes too!
A friend of ours recently got divorced and is having problems with her medical clinic she takes the children to. She is custodial parent but when test are done and results come in they call her husband instead of her. She tells them they are suppose to call her because she is the custodial parent and she is the one that has taken the kids to see the doctor. They say to her he pays the bills. There is so much more that goes on because of what this clinic is doing it cases stress between her and her husband. This to me doesn't seem to be within Hipaa rules.
Good hub.
Moonlake-sounds like a complicated situation for sure. Is going to a different clinic an option? Maybe starting fresh some place new would help. If the kids are on his insurance, I don't know if there will be any way around this. I'll see what I can dig up and post a comment when I find some helpful info for you. Thanks for reading.
I work as a nurse in the ER of a local community hospital. In my spare time I like to blog. Sometimes an event from work strikes a thought that I would like to write about. Am I aloud to talk about procedures and diagnosis if I exclude the patients name? I have been looking around but can get no clear answer. Thanks!
zr-I will look into this. My gut tells me that it's okay to use scenarios from work as long as you don't include any information that identifies or could help in identifying the patient. I'll find out for sure and let you know. Thanks for reading!
I have an unusual Dutch first name and a simple last name. It is unbelievable how often a medical person will slaughter my first name in front of a waiting room full of people - and then ask, "did I pronounce that right?" I always point out that had they just used my last name, it would have been much easier to pronounce. It happend 3 times last week between lab, xray and office visit. Last names should be used whenever possible (since it is not against HIPAA regs) if only to show respect - and unless the last name is more difficult to pronounce than the first name. Just use common sense.
Dutchgal-thanks for reading. I'm sure you get tired of hearing your name pronounced incorrectly. I agree that common sense is key, no matter which name (first or last) is used.
Is it against the law for heathcare workers like certified nursing assistants that is working in a nursing home to know if their resident have any diagnosis like HIV or hep A, B, or C even though they work one on one with them?
Sandra-As far as I know, disclosure of HIV status to a CNA is against the law. I know it sounds wrong. The RN taking care of the patient, on the other hand, does have a right to know because she/he is the primary care provider. Anyone who has the right to look through the patient's chart can know about HIV status. My advice to you is to ALWAYS use Universal precautions, no matter what! Protect yourself as best you can. I hope this helps.
A nurse repeatedly gave my mother her blood test results in the doctor's waiting room which was full of people. When my mother complained about her privacy the nurse said all she had to do was request that her test results where given in private. Doesn't medical privacy laws already cover this? Does a patient really need to ASK for the law to be followed?
Is it against HIPAA policy for me to have my doctor's office fax my records to another doctor's office?
A company that I work for wants to email me patient information. Is this a violation of HIPAA rules?
KerryClem- No, faxing between doctors' offices is not a HIPAA violation. You may have to fill out a form giving your permission though.
WendyM and Diane, I am looking into your questions and will answer back soon!
We send out letters regarding payment delinquncy, for example a letter to a patient that their account is 90 days past due. This letter does not contain personal health information other than the patients name. Recently a letter was sent that had Patient A's name at the top and in the salutation had another name. Is this a violation of Hippa?
I was in the hospital recently, friends were in the room at different times of the day to visit, the second day, they had found nothing wrong with me and postponed all tests till the third day (doing nothing all day except paying for a room at the hospital!)) One of my friends went out to enquire why and a "patient advocate" came in while friends were in the room and asked about my insurance, was I paying for the bill myself, and by the way your weight is not on the chart, what is it? My friends all had a fit and the "advocate" said oh here you can just write it down on this scrap of paper. Was this a HIPPA violation of privacy or just extreme unprofessionalism?
MimiD-unless there was information that could identify either person, I don't think this would be a HiPAA violation...sounds like an administrative slip.
WendyM-no, you should not have to ask for your information to be kept private. That's what HIPAA is all about. That nurse was wrong to read off test results in a waiting room where other patients could easily hear.
shawna, I know that HIPAA was designed to protect people but I have had so many bad experiences from it. I and my first wife divorced and my daughter had many medical things that she went through as did my son and I as the non-custodial parent could know nothing about it. She had so much control and I was never informed. Also my son. They were coached never to talk to me for so long. My daughter made very important decisions that she suddenly realized she didn't have to tell her mom about either. It has been abused and is not a fair at all anymore. It is a monstrosity.
I am in dental school and applying for a residency in pediatric dentistry. I'm working on my personal statement right now, and am wanting to include stories from the clinic and my experience as an assistant. Can I use first names only? Or do I have to change them? I'm talking about treatment performed in a few cases, so I'm guessing no names at all, but I thought I'd ask. Thanks for your time!
I would change the names just to be safe. Good luck!
Is using a patient's mother's last name in a report (with NO other identifying info. other than her last name) a HIPAA violation? There is no info. about the patient--no name, no age, no birthday, nothing...The patient and his mother have different last names.
By the way...I should add that this report is for the parent, but must first get approved by my supervisor and is created on my laptop.
Does your supervisor have a reason to know the parent's information, i.e. is your supervisor involved in the patient's care? If so, then as long as the only people that will see the report are the parent and your supervisor, I don't see why using the last name would be a problem. However, I would stay away from having a patient's personal information on your personal laptop. If your laptop is used only at work for work, then it's not a problem. Hope this helps!
RGraf says:
12 months ago
I understand why this law was enacted, but it frustrates me no end. I've signed form after form at various clinics to allow my husband to call and verify appointments. They keep saying that HIPAA prevents them from doing it until I sign a form - which I've done 10 times now and they are not filing it or something.
Thanks for another one of your informative hubs.