Health Information Compliance Alert

Published on Tue Sep 15, 2015 PDF

What to do when clergy members want to visit hospital patients.

With all the minutiae and strict guidelines in HIPAA compliance, some of the more overarching rules are easy to overlook. As you wade through the HIPAA Privacy, Security and Breach Notification Rules, don’t let these popular myths (as identified by the Centers for Medicare & Medicaid Services) bog you down.

Know the Key Changes from the Omnibus Final Rule

Myth: The HIPAA Omnibus Rule does not make any substantial changes to the Privacy, Security and Breach Notification Rules.

Reality: The HIPAA Omnibus Final Rule makes several important changes to the regulations; most significantly, the final rule:

• Allows patients to request a copy of their electronic medical record in an electronic format;
• Allows patients to instruct their healthcare provider not to share information about their treatment with their health insurer when they pay with cash;
• Streamlines individuals’ ability to authorize the use of their health information for research purposes; and
• Clarifies that the HIPAA Privacy Rule protects genetic information and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Remember: Disclosures for Treatment Purposes are Okay

Myth: Patients must sign consent forms before doctors, hospitals, or ambulances may share information for treatment purposes.

Reality: HIPAA does not require patients to sign consent forms before healthcare providers can share information for treatment purposes. You may share patient information with other healthcare providers without obtaining a signed patient authorization.

When Incidental Disclosures Won’t Get You Into Trouble

Myth: HIPAA requires you to eliminate all incidental disclosures.

Reality: The Privacy Rule specifically acknowledges that you cannot eliminate all risk of incidental disclosures and that incidental disclosures do not violate HIPAA when you have policies in place that reasonably safeguard and appropriately limit how you use and disclose protected health information (PHI). For more guidance, see the HHS Office for Civil Rights’ (OCR’s) “Incidental Uses and Disclosures” fact sheet at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html .

Communicate Freely with Your Patients

Myth: HIPAA makes using electronics very difficult.

Reality: HIPAA is not anti-electronic and allows you to use email, telephone, or fax machines to communicate with patients and other healthcare professionals. But you must use appropriate safeguards to protect patient privacy. You can review more information on such safeguards at www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/482.html .

Communicate with Family and Friends, Too

Myth: HIPAA does not allow you to communicate with the families and friends of patients.

Reality: HIPAA does not cut off all communications between healthcare professionals and patients’ families and friends. As long as the patient does not object, you may provide information to a patient’s family, friends, or anyone else who a patient identifies as involved in his care. The Privacy Rule also allows (unless a patient objects) hospitals and healthcare professionals to notify a family member or anyone responsible for the patient’s care about the patient’s location and general condition.

If a patient is incapacitated, you may share appropriate information with the patient’s family and friends, in good faith that doing so is in the patient’s best interest. For more information, review the guide on this topic at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf .

Let the Clergy Visit

Myth: HIPAA prohibits calls or visits to hospitals by patients’ friends, the clergy, or anyone else.

Reality: HIPAA does not prevent calls or visits to hospitals by patients’ family or friends, nor the clergy or anyone else. Unless a patient objects, hospitals can provide basic patient information, such as the patient’s phone and room number, in the hospital directory.

Clergy members may access a patient’s religious affiliation (if provided) and don’t need to ask for patients by name. For more information, reference the Facility Directories FAQs web page at www.hhs.gov/ocr/privacy/hipaa/faq/facility_directories/index.html .

Don’t Hesitate to Report Child Abuse

Myth: HIPAA prohibits child abuse reporting.

Reality: You may report child abuse or neglect to the appropriate government authorities. For more information, review the Public Health fact sheet at www.hhs.gov/ocr/privacy/hipaa/understanding/special/publichealth/index.html .