INTRODUCTION

 

Our commitment to HIPAA regulations and PHI (Protected Health Information) is paramount.

Although our organization is not considered a Covered Entity, many of our clients are medical offices and are just that; a Covered Entity according to the U.S. Department of Health and Human Services and must comply with HIPAA rules and regulations. Therefore, reminderXchange will:

 

F.A.Q.'s

 

Question: Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?

 

Answer: Yes. According to the U.S. Deptartment of Health and Human Services, appointment reminders are considered part of the treatment of an individual and, therefore, can be made without an authorization. Please reference:

http://www.hhs.gov/hipaafaq/providers/smaller/286.html.

 

 

Question:  Are medical offices or pharmacists allowed to leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready?

 

Answer:  Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail, or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name, number and other pertinent information necessary to confirm an appointment. A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends or other persons regarding an individual's care, even when the individual is not present. However, professional judgment should be used to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive calls at the workplace rather than at home to be reasonable and should be accommodated, absent extenuating circumstances. See 45 CFR 164.522(b). Please reference: http://www.hhs.gov/hipaafaq/providers/smaller/198.html

 

 

Question:  It is common for hospitals and other health care providers to collect preoperative information over the phone from a new patient prior to the day of surgery in order to determine whether the patient has any special medical concerns or issues that need to be addressed. Does the HIPAA Privacy Rule prohibit this practice if the patient has not yet received or acknowledged the provider’s notice?

 

Answer:  No, the Privacy Rule does not prohibit this practice. Where a health care provider’s initial contact with a patient is simply to schedule an appointment or a procedure, or to collect information in anticipation of an appointment or a procedure, the Privacy Rule’s requirements for providing the notice and obtaining a patient’s acknowledgment of the notice may be satisfied at the time the individual arrives at the provider’s facility for his or her appointment or procedure. Please reference:  http://www.hhs.gov/ocr/privacy/hipaa/faq/notice_of_privacy_practices/345.html

 

 

Question:  Does the HIPAA Privacy Rule permit doctors, nurses and other health care providers to share patient health information for treatment purposes without the patient’s authorization?

 

Answer:  Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient. See 45 CFR 164.506. Please reference:

http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/481.html

 

 

Question:  What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?

 

Answer:   The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, health care operations or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. Please reference:

http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/264.html

 

 

Question:  Who is responsible for amendment of protected health information in an electronic health information exchange environment?

 

Answer:  The HIPAA Privacy Rule designates a covered entity as the responsible party for acting on an amendment request. However, a health information organization (HIO), acting as a business associate of the covered entity, may be required by its business associate contract to perform certain functions related to amendments, such as informing other participants in the HIO’s health information exchange who are known to have the individual’s information, of the amendment. See 45 CFR 164.504(e)(2)(i)(F). Please reference:

http://www.hhs.gov/ocr/privacy/hipaa/faq/heath_information_technology/548.html

 

back to top