OIG - Privacy Office - Frequently Asked Questions

[Skip to Main Content]




Contact Us		Search:
Home \| FAQs \| About Secretary Colmers \| Secretary Colmers Welcome Message	Today is

Office of the Inspector General (OIG) - Privacy Office

Thomas Russell, Inspector General

Quick Links

Health

Information Privacy

Office Home

About the Health

Information Privacy

Office

Privacy Complaint

Process

Frequently Asked

Questions

Other Resources

Contact

Information

OIG Home

DHMH HIPPA Site

DHMH Home

OIG Hotline:

Report Fraud, Waste and Abuse

866-770-7175

Health Information Privacy Office

Frequently Asked Questions

See Department of Health and Human Services FAQs at http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php

Are State, county or local health departments required to comply with the HIPAA Privacy Rule?
Is a copy, facsimile, or electronically transmitted version of a signed Authorization valid under the Privacy Rule?
Are all healthcare providers covered by HIPAA?
Is a physician required to give her notice to every patient or can she just post the notice in her waiting room and give a copy to those patients who ask for it?
Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?
How does a covered entity identity an individual's personal representative?

Are State, county or local health departments required to comply with the HIPAA Privacy Rule?

Yes, if a State, county or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also, the “Covered Entity Decision Tools” posted at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp. These tools address the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan.

If the health department performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or a health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a “hybrid entity.” Most of the requirements of the Privacy Rule apply only to the hybrid entity’s health care component(s). If a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department. See 45 CFR 164.504 (a) – (c) for more information about hybrid entities.

Top of Page

Is a copy, facsimile, or electronically transmitted version of a signed Authorization valid under the Privacy Rule?

Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to a copy of a valid and signed Authorization, including a copy that is received by facsimile or electronically transmitted.

Top of Page

Are all healthcare providers covered by HIPAA?

No. Only healthcare providers

Top of Page

Is a physician required to give her notice to every patient or can she just post the notice in her waiting room and give a copy to those patients who ask for it?

The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy. See 45 CFR 164.520(c) for other notice provision requirements.

Top of Page

Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures.

For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:

Health care staff may orally coordinate services at hospital nursing stations.

Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member.

A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.

A physician may discuss a patients’ condition or treatment regimen in the patient’s semi-private room.

Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution.

A pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone.

In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care.

Top of Page

How does a covered entity identify an individual’s personal representative?

State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accord

Top of Page

-----------------------------------------------------------------------------------------------------------
About DHMH Inside DHMH Privacy Statement User's Survey Organization Index Contact Us DHMH Policies

Links marked with are PDF.
Download Adobe Acrobat Reader for viewing .pdf files