Risk Management

Practical Application of HIPAA Privacy Rules (Part 2)

Kimberly Wittchow, JD, OMIC Staff Attorney

Digest, Spring 2003

The compliance deadline of April 14, 2003 is behind us, yet many OMIC insureds continue to grapple with certain provisions of the HIPAA Privacy Rules. For this reason, the Risk Management Hotline will again tackle a sampling of the latest HIPAA queries. Remember that if you are not a Covered Entity as defined under HIPAA, these federal mandates do not directly apply to you.

Q  Can I release information to persons within a patient’s circle of care without a written authorization?

A  Yes. You must, however, provide the patient with an opportunity to agree or object to this disclosure. If the patient is present, the easiest way to do this is to get the patient’s oral permission before sharing protected health information (PHI). If the patient is not present or communication with the patient is impossible, you may in the exercise of professional judgment determine whether the disclosure is in the best interest of the individual and if so, disclose only the information directly relevant to the person’s involvement with the patient’s care. It is advisable to document these oral agreements or professional judgments to disclose.

Q  Can patients request restrictions on the use or disclosure of their protected health information?

A  Yes. Patients have the right to ask for restrictions in the use or disclosure of their PHI, but you are under no obligation to agree. However, if you do agree with the restrictions, you must comply with them. You also must accommodate patients’ reasonable requests to receive communications of PHI by alternative means, such as sending all communications in a closed envelope rather than on a post card.

Q  Is the Notice of Privacy Practices the only policy document my practice needs?

A  No. The Rules additionally require that you have written privacy procedures addressing which staff has access to PHI, how PHI will be used, and when PHI may be disclosed. OMIC’s Sample Compliance Plan* is both a template and a guide for creating your own privacy plan. In addition, you must designate a Privacy Officer, train your employees, and take appropriate disciplinary action if you learn of a breach.

Q  Are fellow health care providers my Business Associates?

A  A Business Associate Agreement is not required when you disclose PHI to another health care provider for treatment of a patient. However, you and another health care provider may be business associates for some other purpose. For example, a hospital might hire you to help train medical students, in which case the hospital would have to obtain an Agreement from you before allowing you access to patient information.

Q  Will the government actually enforce the HIPAA Privacy Rules?

A  In an April 14, 2003 press release, HHS stated that enforcement will be primarily complaint driven. The Office of Civil Rights (OCR) intends to investigate complaints and ensure that the privacy rights of consumers are protected. OCR may impose civil monetary penalties of $100 per failure to comply. The Department of Justice may prosecute criminal violations with fines ranging from $50,000 to $250,000 and prison terms ranging from one to ten years.

Q  Does HIPAA address eye banks?

A  Yes. The Privacy Rules permit you to disclose PHI without authorization to eye banks for the purpose of facilitating cadaveric eye donation and transplantation. Furthermore, the procurement or banking of eyes is not considered health care under the Rules and the organizations that perform such activities are not considered health care providers or Covered Entities when conducting these functions.

Q  Who are patients’ personal representatives and what information can I share with them?

A  HIPAA requires that you treat an individual’s personal representative as the individual with respect to privacy rights. The scope of the personal representative’s authority to act for the individual derives from applicable (generally state) law. Parents have broad authority to act on behalf of their children and legal guardians generally have broad authority to act on behalf of mentally incompetent adults. Conversely, someone with a limited health care power of attorney is that individual’s personal representative only with respect to certain health care decisions.