There are a million good questions about HIPAA. The day to day practical realities of running a busy office, working with patients, staff, other health care providers, insurance companies and Medicare, creates lots of opportunities to think about HIPAA. What’s the best way to work efficiently while safeguarding patient privacy?
Foster Child Patient
Question: We have a child patient who is currently in foster care. They are a patient of record under their real parents’ account. The foster parents would like to schedule appointments but maintain the real parents as the financial responsible party. And second question: Is it HIPAA appropriate to give information to a foster parent regarding the child, e.g., account information, scheduling appointments, etc.
Answer: Usually a foster parent has received documentation about the child, and the foster parent’s role, from the social service agency, and included in this documentation there is likely a description of the scope of their authority to act on behalf of the child’s interests – they might have been named the “personal representative” for example for the duration of their care. So you want to “verify their identity and authority” as required by the HIPAA Privacy Rule by asking the foster parents for their documentation that shows their scope of authority, and then you can scan it and put it in the patient’s chart/file. It doesn’t have to be the full “personal representative” designation, but you’re looking for language that gives them authority for health care purposes.
Communicating with Patients
Communicating by phone: When the receptionist or scheduling manager calls to confirm appointments and if the patient answers, how many patient health identifiers do we need to confirm before proceeding with the conversation? Do we need to have them answer all – first name, last name, phone number, email address, home address, etc.? What about when a patient calls our office, how can we confirm their identity?
Answer: Whether you’re calling them or they’re calling you, you don’t need to ask for more than one identifier, and we suggest either date of birth or the last 4 digits of their social security number. Both of these are less commonly known than name, address, etc.
Communicating by email #1: When new patients contact us by email through our website, doesn’t that mean they are consenting to use email to communicate?
Communicating by email #2: We always obtain patients’ consent to use unencrypted email or text before we communicate with them. When we start communicating with the patient via email or text, do we also need to verify patient health identifiers before proceeding with the conversation?
Uses and Disclosures of Protected Health Information
Using PHI in a seminar presentation: We have a Doctor who wants to use dental x-ray images in case studies for seminar presentations. There are no identifiers on the images (no name/DOB/i.d. number, etc.), all you can see are the images and they are not unique enough to be connected to a particular person.
Answer: Since the x-ray image – the protected health information (PHI) – has been “deidentified”, and cannot be associated with a particular person, this is an acceptable use of PHI that does not require patient authorization, and the image may be used in the presentation without violating HIPAA.
Using patient testimonials: One of the ways our practice has grown has been through patient referrals and testimonials. May we publicize patient testimonials on FaceBook and Instagram?
Answer: You may only publish a patient testimonial with the patient’s authorization in advance. This applies to testimonials on your website, in printed pamphlets, and on social media, including Facebook, Instagram, TikTok, etc.
Discussing patient information with another healthcare provider: We are a regional healthcare clinic and need to talk with specialty healthcare providers, long term care institutions and rehab centers. Do we need to obtain the patient’s consent to discuss their file with other providers in our area?
Answer: No. The HIPAA Privacy Rule makes clear that covered entities may use and disclose PHI “for treatment, payment or health care operations”, without authorization. As long as the communication between providers is for these purposes, this is fine.
Patient Right of Access to Medical Records
Question: What format do we need to provide the patient’s medical records when they ask for it? Our practice is connected to an online patient portal where they can actually see most of the relevant information. Isn’t that enough?
Answer: Directing patients to the portal may not be enough because the portal may not contain everything they’re asking for. They have a right to everything in the “designated record set”, which is comprehensive information about care, treatment and billing.
The patient right of access to their own records is a top compliance priority of the Office for Civil Rights (OCR) which enforces HIPAA, and you should be careful to provide access to all the records they request, in the form and format they ask for. They may ask to view the files on paper, or receive electronic or paper copies, or have the records provided on a thumb drive.
Psychotherapy notes however, are not subject to the right of access rule. These records should be kept separate from the rest of the patient’s medical records.
Under current law (as of March 28, 2023), you must provide the records within 30 days of the request, although the Privacy Rule is expected to change this year, and the 30 days will be reduced to 15.