Busting HIPAA myths could be a full time job! We hear HIPAA myths every week, and want to help people separate truth from myth. Some of the myths are so often repeated on the internet, that they’ve become ingrained and are difficult to change, but we will try.
It’s understandable that there are so many rumors, myths and ideas about HIPAA. Although the original Health Information Portability and Accountability Act was passed in 1996, many laws and regulations have been added, including the HITECH Act and the Omnibus Rule; HIPAA is still being modified, most recently in 2020 in response to COVID-19
People tend to think of HIPAA as a barrier to sharing information, but in fact, there are many ways that patient information may be shared. For example, patients have the right of access to their own medical records. First responders may receive and share information, with a patient’s authorization, in many different situations. The trick is to know the rules, and not follow common myths and misunderstandings.
We need to bust these myths, especially now, as telehealth expands to cope with COVID-19. HIPAA requirements for the Notice of Privacy Practices, email and text messaging are still in full force and effect.
The Notice of Privacy Practices is a consent form or, a patient must consent to the NPP.
HIPAA requires that a covered entity provide a Notice of Privacy Practices (NPP) to every individual they see. The NPP informs an individual about the uses and disclosures of the individual’s protected health information (PHI) that may be made by a covered entity, and about the individual’s rights and the covered entity’s legal duties with respect to PHI.
Consent is not required, but HIPAA says that the covered entity should make a good faith effort to obtain a written acknowledgement of receipt of its Notice of Privacy Practices. Acknowledgement of receipt is not mandatory and it’s unrelated to the concept of a consent to treat but many health care providers combine the NPP with a consent form, which is probably why the myth developed, but HIPAA does not require a “consent” to the NPP. In emergency situations for example, patients are unable to acknowledge receipt, and some patients do not want to. They are not required to.
If patients do not acknowledge receipt, the provider should simply document that it was provided to be compliant with this HIPAA requirement.
The Notice of Privacy Practices does not need to be posted in the provider’s facility or on the website if it’s otherwise available.
HIPAA is clear about this. The NPP must be posted in the facility and in a prominent place on a provider’s website, in addition to being provided in writing to patients.
If a patient voluntarily posts a recommendation or review on social media, they have consented to using their identity (protected health information).
No, this is not true. If a social media site is under your control, like Facebook, you are responsible for everything that appears there. As a provider and covered entity you are required to obtain a HIPAA compliant Authorization before a patient posts a review, or gives you a review or testimonial to use on your own website.
Authorizations must be notarized to comply with HIPAA.
Not true. The Authorization is should be easy for the patient to provide. However, there are several key elements and required statements for an Authorization to comply with HIPAA and they’re described here.
Patients must sign a HIPAA Authorization to obtain their own medical records.
One of the most dangerous myths is the confusion between “right of access” and authorizations. The Office for Civil Rights (OCR), the federal agency that enforces HIPAA, has declared war on violations of the patient right of access. In 2019 they created a Right of Access Initiative to step up investigations of covered entities which violate this basic essential right of patients. Learn the difference and make sure that patients don’t have to jump through hoops to obtain their own information, and provide it to them promptly.
HIPAA prevents sharing patient information with first responders.
Not true. This myth has been especially troubling during the COVID-19 outbreak, because first responders have been actively helping manage the crisis from the front lines. But under HIPAA law, even before COVID-19, there are permitted uses and disclosures of patient information that apply in emergencies. There are five situations that allow the sharing of PHI with first responders, but two of the most common are: when information must be shared for the purpose of treatment; or if it’s needed to help protect a first responder from infection.
Email is covered by HIPAA but text messaging is not.
Many believe a text message is only governed by the Telephone Consumer Protection Act (TCPA), so HIPAA doesn’t apply. Not true. Email and text messages are both considered forms of electronic communications under HIPAA and must comply with the HIPAA Privacy and Security Rules. Text messaging ALSO must comply with the TCPA.
Patients who send an email or text that is unencrypted have consented to using unencrypted communications.
No. The covered entity must obtain an individual’s consent to use unencrypted communication. If someone texts or emails before they become a patient or client, you must obtain their consent to use unencrypted communication before continuing.
- first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
- if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
- document the light warning and the patient’s preference in writing.
Note, if the patient prefers encrypted email or text they have the absolute right to receive it.
The HIPAA E-Tool® Busts Myths
If you have a question about what is true, please write and let us know at firstname.lastname@example.org.
We will respond and will include more common myths about risk analysis, ransomware, cybersecurity, and more, in a future blog.