Do you know what’s true?
By Matt Fisher
Twitter: @matt_r_fisher
In healthcare, HIPAA has obtained a very well known status. I sometimes compare HIPAA in healthcare to Miranda rights in the criminal context. Everyone has heard of it and knows that it is referred to often, but does that actually lead to understanding. Confusion about the scope of HIPAA can lead to frustration because individuals are denied access to their medical records or certain actions are denied.
A popular topic of discussion, therefore, surrounding HIPAA are myths that develop about what HIPAA does or does not do. Over the next couple of blog posts, I will explore some common myths about HIPAA and try to explain the truth behind what the law and its implementing regulations actually do. See how you do as you read along.
Myth#1 – HIPAA prevents your medical providers from sharing medical information without your permission;
This is FALSE. Under the HIPAA Privacy Rule, covered entities and their business associates (these are the individuals or entities actually subject to HIPAA) may share protected health information for certain purposes without offering an opportunity to or needing authorization. Treatment is one of those instances. Treatment covers the provision of medical services, including obtaining consultations and making referrals. To facilitate treatment, records often need to be shared and this would be overly complicated if an individual had to consent each time their providers wanted to share records.
Myth #2 – Providers cannot share your protected health information with your family members or caregivers without your permission.
This is FALSE. With a clear authorization from the affected individual, that person can direct that their protected health information be shared with whomever they identify. Additionally, the HIPAA Privacy Rule contains a specific section (45 CFR § 164.510(b)) that covers disclosures to individuals involved in a person’s care. While there are instances where the opportunity to object must be provided, an affirmative authorization does not need to be given. Therefore, HIPAA does not prevent the sharing of health information.
Myth #3 – HIPAA prevents providers and individuals from communicating by email.
This is FALSE. HIPAA does not prevent email communication. HIPAA does include requirements for the protection of electronic protected health information, including a very strong recommendation/suggestion that any transmittal or storage of electronic protected health information be encrypted. However, HIPAA also enables an individual to direct their provider how to communicate information, which request must be honored by the provider. For a more in-depth discussion of HIPAA and email concerns, check out the post I wrote for HITECH Answers.
Myth #4 – HIPAA prohibits providers from announcing a patient’s name in the waiting room.
This is FALSE. HIPAA does not prevent the use of a patient’s name when calling them back to the exam room. However, discretion is still advisable to not announce a patient’s condition or the treatment that will be provided when calling the patient back. If this myth were true, it would place an unreasonable burden and restriction on the operation of a provider’s office. This is one example where HIPAA’s requirements are exaggerated and create unnecessary concerns.
Myth #5 – HIPAA prevents a provider from charging an individual for obtaining a copy of their medical record.
This is FALSE. HIPAA gives an individual the right to obtain a copy of their medical record and requires that the copy not only be provided in a certain amount of time, but also in the format requested by the individual. However, HIPAA recognizes that their may be costs in time and supplies to make the copy and allows the provider to charge a “reasonable” fee. The Privacy Rule sets forth certain criteria that may be sued in determining that fee, but the copy is clearly not free. When setting that charge though, HIPAA is not the only concern. State laws may interpose more restrictive provisions and those requirements, where more restrictive, will control over the HIPAA requirements.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.