Articles page     HIPAA page    

HIPAA
(Health Insurance Portability and Accountablity Act)
Question and Answer Review *

General Requirements

What does the regulation entitled Standards for Privacy of Individually Identifiable Health Information (hereafter the "Privacy Rule"), promulgated by the Department of Health and Human Services (HHS) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the average healthcare provider to do?

The average healthcare provider must do the following:

• Provide information to patients about their privacy rights and how their information can be used.
• Adopt clear privacy procedures for its practice or facility.
• Train employees to understand the privacy procedures.
• Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

When will providers need to meet these standards?

April 14, 2003.

Patient Consent

What are the Privacy Rule’s requirements with respect to patient consent?

The Privacy Rule establishes a federal requirement that providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment or health care operations (TPO). Patient consent is required before a provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO.

Are there any exceptions to this consent requirement?

Yes.

• Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
• If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the provider may refuse to treat the patient.
• Written consent is needed only one time.

Must the provider do anything else with the patient?

Yes. The provider must give the patient a notice of the provider’s privacy practices and may review that notice prior to the patient’s signing a consent.

How does a patient consent differ from a patient authorization?

An authorization is a more customized document than the consent that gives the provider permission to use specific PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual.

What is the interaction between "consent" and "notice"?

The consent and the notice of privacy practices are two distinct documents. A consent must refer to the notice and must inform the patient that he has the opportunity to review the notice prior to signing the consent.

Minimum Necessary Information

How are providers expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

The Privacy Rule requires a provider to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. Providers must make their own assessments of what PHI is reasonably necessary for a particular purpose.

Are disclosures for treatment purposes, including requests for disclosures, between health care providers exempted from the minimum necessary requirements?

Yes

Does the Privacy Rule prohibit use, disclosure, or requests for the entire medical record?

No, as long as the provider has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes.

Oral Communications

Does the Privacy Rule apply to oral communications?

Yes.

Can a nurse or other health care professional discuss a patient’s condition over the phone with the patient, a provider, or a family member?

Yes.

Does the Privacy Rule require that providers soundproof their rooms?

No.

Business Associates

What is a business associate?

The Privacy Rule defines a business associate as a person or entity who provides certain functions, activities, or services for or to a covered provider, involving the use and / or disclosure of PHI. The business associate is not a member of the provider, health plan or other covered provider’s workforce.

Payment

How is "payment" defined?

"Payment" is defined as including the various health activities of a provider to obtain payment or to be reimbursed for their services.

May a provider use and disclose protected health information for payment purposes, such as billing and collection activities, as well as determining eligibility or coverage under a plan?

Yes.

Does the Privacy Rule prohibit a provider from using a billing, management, or debt collection agency?

No, as long as the billing, management or debt collection agency are treated as business associates in accordance with the Privacy Rule requirements.

For more information, please Call or E-mail