A family member storms in to the office and demands to know when their spouse’s next appointment is. Should you talk to them?

We often hear questions about real world practical situations people deal with every day. May I send records to the patient’s hospital? May I talk to a relative? Does our website comply with HIPAA? This blog includes real questions and practical answers from HIPAA experts.

Family and Friends

Question: If a patient’s family member comes into the waiting room and demands to know when the patient’s next appointment is, may I tell them?

Answer: You may only speak with a patient’s family member or friend if the patient has authorized that person to receive PHI. The authorization must be made in writing, in advance.

Risk Analysis and Risk Management

Question: Our dental practice has four locations. Do we really need to do four separate Risk Analyses?

Answer: Yes. The Office for Civil Rights (OCR) which enforces HIPAA has been clear about this, most notably in the Fresenius settlement. But there have been numerous enforcement settlements since then, where OCR called out the need to do site-specific Risk Analysis because each location is unique.

Question: I am a case management supervisor and new to our organization. I asked to see our HIPAA policies but the Security Officer told me the policies are confidential and staff are not allowed to see them. Does HIPAA require that the policies be kept confidential?

Answer: No, policies should not be kept confidential. In fact, the opposite is true. Workforce members should have access to HIPAA policies that apply to their responsibilities. A recent OCR settlement agreement with Peachstate Health Management mandates that Peachstate distribute its HIPAA privacy and security policies and procedures to all workforce members and provide certification that the workforce members have read, understand and will abide by the policies and procedures.

Question: We are a small medical practice with three physicians and seven other staff. We outsource our billing and collections to a person who is not on our payroll but works exclusively for us on an hourly basis. She receives and transmits protected health information. Is she part of our workforce or a business associate?

Answer: The hourly worker could be treated as a business associate if she is an independent contractor – if so, you must have a business associate agreement with her – or she could be considered a workforce member, in which case you should not have a business associate agreement with her. All workforce members who handle PHI should receive HIPAA training and sign a confidentiality agreement.

Question: We have an alarm system for the building our office is in. We think this is a good security protection, but if we don’t use the alarm system, are we violating HIPAA?

Answer: HIPAA requires that covered entities and business associates have safeguards in place: administrative, physical and technical. HIPAA law does not dictate precisely how to create each safeguard – an alarm system is a good physical safeguard – if the PHI in the office is in locked drawers in locked rooms, the alarm system is not mandatory. It’s good extra protection.

Social Media and HIPAA

Question: Can a patient waive their HIPAA privacy rights by posting on social media?

Answer: No, absolutely not. There is no such thing as a waiver for self-reported protected health information. Patients are not required to follow HIPAA, but their providers are. Providers must not disclose any PHI of patients, nor should they allow publication of any PHI on their social media without a valid written HIPAA authorization from the patient in advance.

Question: We are a community-based healthcare provider with a Facebook page. A patient’s sister posted a comment on our page, naming the patient, and saying the counseling she received from us was not helpful. Did the patient’s sister violate HIPAA? Is this a problem for us?

Answer: The sister did not violate HIPAA because HIPAA only applies to covered entities and business associates. However, you as the provider (covered entity) are responsible for anything that appears on your Facebook page, no matter who wrote it.  This is a HIPAA violation because it is an impermissible disclosure of protected health information (PHI) on a website you own and control. Facebook has no responsibility for the content of its users’ pages, only the page owners do.

Question: A local celebrity was in a car accident, and when she came to our hospital, I treated her. The media found out from her family about her condition and they reported it on local news and in social media. May I talk to acquaintances of mine about what is already in the press and on social media?

Answer: No, you have a duty under HIPAA to continue to protect the privacy and security of individuals in your care and may not discuss anything about the patient with your friends, even though the media has published information about her. You should not even acknowledge that she is your patient.

The HIPAA E-Tool^® Has Answers

Let us know if you have a real life scenario with HIPAA and want to know what’s required. Beware of HIPAA myths and advice given by non-experts who want to sell marketing services – if you’re in doubt, ask us.