Are clinical education students that are temporarily shadowing through arrangements with various universities, as well as one-day observers from grade level to high school programs no longer allowed under HIPAA?
Solution: First, the students and universities should not be considered BAs, as neither perform a function for the covered entity. Such relationships can, however, be considered as part of workforce or healthcare operations, as long as appropriate confidentiality and affiliation agreements are in place, and basic overview of HIPAA privacy practices is provided. Also, mention of such programs in NPP may be advisable. ( 1/17/03 )
Some of the small practices do not have the resources for a dedicated privacy officer or exhaustive training.
Solution: HHS Guidances emphasizes that the Rule gives needed flexibility for providers to create their own privacy procedures, tailored to fit their size and needs.
Can practices continue to hand out free products for marketing purposes?
Solution: For all marketing communications, the covered entity may use or disclose PHI only with applicable consent and only in the following circumstances:
in a face-to-face communication
if the product or service is of nominal value (e.g. free toothbrushes with name of covered entity, key chains, calendars, etc.)
it concerns health-related products or services where the covered entity or third party is identified in the communication
In such cases, the communication must identify the covered entity that is making the communication; indicate that the covered entity is being compensated, if true;
provide information on how the individual may "opt out" of future communications; and explain why an individual was targeted and how they might benefit.
Can the staff call out patient names in a waiting room?
Solution: In general, HHS Guidance recognizes the importance of free oral communication, as long as reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lower voices and talking apart). HHS will be proposing regulatory language to clarify circumstances under which oral communication is permitted, including calling out patient names in a waiting room area.
When children become emancipated, they often continue to see the same doctor, and parents often continue to coordinate care and also remain financially responsible. For example, parents may call in to renew prescriptions, schedule appointments, and call for test results. Are there potential HIPAA violations in any or all of these scenarios?
Solution: In each of the cases, there is potential for implicit or explicit release of PHI to the parent. Therefore, once a child is emancipated, they should be given the opportunity to agree or object to any of the above actions taken by the parent. In general, at varying ages of emancipation depending on state, provider supplying direct care should provide the emancipated child with an NPP, and when appropriate, ask the individual to designate one or more personal representatives for their medical activities (authorization). Such "renewal" of NPP may not be legally required, as the law recognizes the initial acknowledgement made by the child's personal representative, but such action may allay potential concerns. ( 5/11/03 )
Some state departments of health (e.g. Washington ) administer immunization registries, and participation in the registry is not required by law. If the state department of health declares that it is not a covered entity (as is the case in WA), then shouldn't there be a BA agreement w/ the health dept, and shouldn't all such disclosures be accounted for? ( 12/18/02 )
How should regular requests for health forms by schools, day care, etc. be handled?
Solution: If getting a written authorization is inconvenient, providing or sending the forms directly to patients might be a better option. A one-time "generic" authorization form, designating various institutions the minor is involved with may not suffice, as HIPAA is very specific about the requirements of authorization forms (form must specify the persons or the class of persons authorized to make and receive disclosures, purpose of the release, and expiration of the release). As a side note, some practices are making sure that the school nurse's office has a dedicated fax machine, as the latter are often shared among open administrative spaces. ( 11/4/02 )
Should the provider supply NPP and any Authorization forms separately to each member of the same family? And what if the Smith parents are divorced, with health insurance under Dad's policy but living with Mom?
Solution: Unlike health plans, providers must maintain separate charts for each patient, so separate NPP and Authorization forms should be maintained. Although, if conditions are identical for different members of the family, forms with multiple names could presumably be photocopied and filed. ( 5/31/02 )
In our Pediatric unit, we photograph all children under the age of six as means of identification in case they are missing. Do we need to develop an authorization form for this as well?
One response: If you are taking photographs for internal purposes, such as security, that would come under your health care operations, and will be covered under a HIPAA consent. You may decide that this is something you want to cite in your notice of privacy practices. If the photo is taken by a contractor, that is a business associate, and you will need a BA agreement. ( 1/25/02 )
What if a minor presents themselves without a parent and seeks medical care?
Solution: In such a scenario, unless an emergency, consent of the personal representative will be required prior to any type of examination or treatment. For first time patients, this means that a NPP has to be acknowledged, and follow-up visits with adults other than personal representatives would require a specific authorization.
Some OB/GYN offices or hospital units may have pictures of babies adorned on the walls. In addition, hospital birth centers sometimes have photographers who take pictures of newborns, to be offered to parents for sale. The fundamental question in both instances is whether a picture in the context of a healthcare facility constitutes PHI. Strict interpretation of HIPAA might suggest that pictures are indeed PHI, and that photographers and film developers are third party who help the CE conduct their operations.
Solution: Some suggest that when parents sign the order form for the pictures, that is a sufficient implicit authorization. To be on the safe side, CEs may wish to have parents sign one more form explicitly authorizing the taking of pictures, and for publicly displaying the pictures. BA agreements may be extended to photographers, and even film developers, although this may be stretching it (6/38/02)
OB units, as part of birth reporting process, may release demographic information about father (inc. marital status, occupation, SSN, state/county of birth) to the county health department. Do public health reporting requirements for a newborn supersede the privacy rights of another individual?
Solution: No consensus on this subject, but public health rationale can be extended beyond the affected individual, as long as safeguards around limitations of use is explicitly and stringently practiced by the local health agency. ( 2/20/03 )
Are physicians allowed to share OB-related PHI of the minors with parents?
Solution: While parents are by default personal representatives of their child for "routine" non-OB PHI, HIPAA and state law "emancipates" minors once they are pregnant, and parents are not entitled to OB PHI unless minor consents. "Emancipation" takes precedence over any other applicable state law in most states. Physician may choose to maintain two separate charts, one OB and the other routine, or better yet, organize single chart so that unauthorized PHI is not released to the parent. Can a minor get a pregnancy screening test without the physician informing the parent of such test if the test is negative? Physician judgment of circumstances should play a role here. ( 10/31/02 )
Many dental practices have exam rooms with multiple stations, as prescribed by ADA , where patients and their families can observe or hear PHI of other patients being freely exchanged. The logic for such setting is for training and for behavioral management of patients.
Solution: build the situation into the NPP, or gain specific authorization from patients.
A dentist conducts a pre-op interview in the waiting room, under justification that he is not a covered entity as defined by HIPAA. Is compliance strictly limited to covered entities?
Solution: At least one interpretation predicts that HIPAA may be construed by the courts as a "standard of care" and hold all providers to these standards when applicable to civil or criminal actions. Therefore, even non CEs may want to establish minimal privacy safeguards. ( 12/3/02 )
From ADA observation of HHS Guidance released on July 6, 2001 (may apply generally to all covered entities)
HIPAA privacy rule would require extensive soundproofing of dental offices and other providers, including restructuring and retrofitting to comply with the privacy rule.
Solution: HHS acknowledged that overheard communications are unavoidable and that reasonable precautions can be taken through the use of lowered voices, or the use of curtains or screens in areas where oral communications often occur between doctors and patients or among professionals treating the patient.