We hear multiple questions every week from practice managers, privacy officers, IT staff and business owners. HIPAA is a big topic, and having all the right policies and procedures in place is one thing, but dealing with day-to-day questions is a different challenge.
No question is too basic. If you have a question, it’s likely others have the same one. Let us know, and we’ll provide the answers.
Maintaining Patient Privacy
Security Cameras
Question: I want to install security cameras in our office inside the reception room and at the front door. Would that violate HIPAA?
Answer: No. As long as you are using it for internal purposes and not disclosing the camera footage to anyone else. The video footage is protected health information (PHI) and requires the same degree of protection as any other kind of patient information you maintain. Because you obtain and use it for your own internal health care operations, you do not need authorization from patients in advance for its use.
Sharing Protected Health Information with Another Provider
Question: I am an orthopedist in a practice with four physicians. When I leave on vacation, do I need to obtain my patients’ authorization before sharing their files with colleagues who will be covering for me?
Answer: No. A health care provider does not need to obtain a patient’s authorization to disclose protected health information (PHI) to another provider for the purpose of treatment. HIPAA requires that both providers are obligated to maintain the privacy and security of the patient and not disclose PHI to others.
Does HIPAA Survive Death?
Question: A patient of ours passed away recently, and his daughter has asked to see his medical records. May I give them to her since he has passed?
Answer: HIPAA protects the privacy of individuals’ PHI for fifty (50) years after death. So, unless the daughter can prove that she is the personal representative of her father, or that her father authorized her to receive his records, she is not entitled to receive the records.
Cybersecurity Risks
Question: Is cyber insurance a good defense against the costs of cyber crime? Managing cybersecurity risks seems complicated, and if we are hacked we don’t know whether we could afford to recover.
Answer: Cyber insurance is one option to help mitigate risk and manage the costs resulting from cyberattacks. However, there is no substitute for a strong cybersecurity infrastructure. In fact, cyber insurance providers today are increasingly requiring cybersecurity measures be in place before they will even agree to provide insurance. For covered entities and business associates in health care, a strong HIPAA compliance program is fundamental to cybersecurity protections.
Question: How concerned should we be about breaches of patient data caused by unauthorized disclosures, or theft or loss, caused by our own staff, as opposed to IT incidents like hacking from external actors?
Answer: Theft of a laptop or phone, accidental losses, and unauthorized disclosures, whether intentional or by mistake, are all potential risks and should be guarded against with a risk management plan that includes employee training and access controls. Today though, the threat of hacking and IT incidents has grown to huge proportions and accounts for most of the breaches nationwide. A complete HIPAA compliance program will cover all the bases, and following the HIPAA Security Rule is the best possible defense against cybercrime.
COVID and HIPAA
Question: We are a small dental practice looking to grow as the pandemic eases in 2022. May we ask prospective employees whether they have been vaccinated for COVID or flu as part of the hiring process?
Answer: HIPAA does not prevent employers, including covered entities, from asking employees their vaccination status. OCR Guidance about COVID-19 vaccinations and the workplace here.
Question: I received a positive COVID test result from our local private clinic and the next day I received a text message from the local public health agency advising me about care. Did the clinic violate my HIPAA rights by telling the public health agency about my test?
Answer: No, this does not violate HIPAA. A provider may disclose a test result to a public health authority without the patient’s authorization to further the public health authority’s responsibility to guard public health. OCR Guidance here.
Take care not to believe myths about HIPAA and be sure your research is trustworthy. We can help if you have questions.