Compliance managers in busy offices send us the best questions about everyday HIPAA scenarios. These situations are likely happening in other busy offices, so we’re sharing some of their questions and our answers here.

Wrong Number, Wrong Name

Question: My practice has recently received several faxed referrals from another physician’s office (with the patients’ full health information) but the referrals are addressed to a clinician who is no longer working here. This has happened multiple times over several months. We have called the other physician’s office to let them know that they’ve sent it to the wrong number. The most recent time, the physician’s office told me “oh, that’s weird, because that’s the fax number that the (other) clinician gave me.”

Are there other steps I should take to stop these faxes to continue being sent to me? I feel that I’m doing my part by calling the sending physician to let them know, but the fact that they continue to send them makes me feel like I need to do something more to protect these patients’ health information.

Answer: Notifying the practice who sent it was the right thing to do. Also note, although this was not asked, sending unencrypted protected health information (PHI) via fax is permitted, unlike sending it via text or email, where it should be encrypted unless the patient opted to have it unencrypted. However, once the other (sending) practice received word that this is the wrong number and they should NOT send it to you, they should stop. But this is their responsibility, not yours, the receiving practice’s. We recommend that you document in writing your notification to them, either by emailing or writing a letter, or making a note in your own files.

Speaking with Family

Question: We have an unmarried patient in intensive care who is unable to speak for himself. He has no living will but his son who is present has been making health decisions for him. Are we violating HIPAA by following the son’s guidance about his father’s care?

Answer: Normally this question is up to the patient, and when they are awake and can make decisions, they should be given the opportunity to agree or object to consultations with a family member or friend. However, if the patient is unable to speak, and if there is no written authorization, living will or power of attorney, physicians and other providers treating the patient may use their professional judgment to decide what the patient would want, including what is in the patient’s best interests.

When a patient cannot speak for themselves, it is not a HIPAA violation for a physician to discuss a patient’s care with a family member who is present and involved in the patient’s care or payment for care. If the patient is later able to speak and express their wishes, the treating physician should discuss the issue with them and give them an opportunity to express their wishes. This can be done formally, with a signed authorization form, or if it’s better for the patient, they can speak to the caregivers and express their wishes without signing a form. It is not an absolute requirement that the authorization be in writing. If the provider does not receive a written authorization, document the conversation in the patient’s file (date, topic, authorized persons named).

HIPAA Training for Workforce

Question: We provide HIPAA training to new employees and ask them to sign an acknowledgement and confidentiality pledge when they’re hired. Should they re-sign the HIPAA confidentiality form every year, or just when they are first hired?

Answer: From a HIPAA perspective, it is only needed when they are first hired, but check with the HR office in case they have another procedure to follow for HR reasons. However, if you change the form in any substantive way, employees should sign the revised one. For example, some organizations tailor this confidentiality pledge to their own HR policies, so if the form changes for those reasons, have them sign a new one during annual HIPAA refresher training.

Question: We provide new employees with basic HIPAA training, including study guides, a video and a quiz when they’re hired. Is there anything else new employees should review?

Answer: Be sure that training for new employees includes particulars about HIPAA directly related to their own job. For example, someone on the front desk should know about the Notice of Privacy Practices (the NPP) – its purpose, where to find it in the reception area and online. Another important HIPAA topic for all organizations is the patient’s Right of Access to their own medical records. Show staff where to find the Request for Access form, and review with them the basics about how to handle these requests – it should be easy, prompt and at no (or very low) cost for the patient. Finally, be sure all new employees know that if they have a HIPAA-related question they should come to the HIPAA compliance officer right away.

Question: Some of our staff seem reluctant to let us know if they receive a suspicious email at the office. They don’t want to be thought of as “crying wolf” if it comes to nothing and there is no hack or cybercrime involved. Are they right?

Answer: No, they are not right, and should not be concerned about crying wolf. Healthcare is still by far, the most vulnerable industry when it comes to cybercrime, and email is still the most common form of entry for cyber criminals trying to break in and steal valuable patient PHI. Make sure everyone on the workforce knows to stay alert and report anything suspicious on any electronic device they use that is connected to the medical practice.

HIPAA Compliance Step-by-Step

HIPAA is not hard. It’s easy to follow step-by-step, once you know the steps. Whether you are dealing with a rare complicated question or an everyday scenario, The HIPAA E-Tool® has answers.

Free HIPAA Checklist
What best describes you?