HIPAA PrivacyThe Morning After Panel

What do we do now?

William R. Braithwaite, MD, PhD (moderator)Washington, DC

Ross Hallberg, Corporate Compliance OfficerJohn Muir/Mt. Diablo Health System

Walnut Creek, CA

Ronald Margolis, Chief Information OfficerUniversity Hospitals, University of New Mexico

Albuquerque, NM

Tina Sernick, ManagerDeloitte & Touche LLP

New York, NY

Principles of Fair Info PracticesNotice– Existence and purpose of record-keeping systems must be known.Choice – information is:– collected only with knowledge and permission of subject.– used only in ways relevant to the purpose for which the data was collected.– disclosed only with permission or overriding legal authority.Access– Individual right to see records and assure quality of information.

» accurate, complete, and timely.

Security– Reasonable safeguards for confidentiality, integrity, and availability of

information.Enforcement– Violations result in reasonable penalties and mitigation.

Individual’s Rights Individuals have the right to:

– A written notice of information practices from health plans and providers.

– Inspect and obtain a copy of their PHI (DRS).– Obtain an accounting of disclosures.– Amend their records.– Request restrictions on uses and disclosures.– Accommodation of reasonable communication

requests.– Complain to the covered entity and to HHS.

E-mail Misconception: HIPAA prohibits email

between doctor and patient. Fact: HIPAA allows it. Encryption requirement

on internet transmissions was reduced to ‘addressable’ so that such interactions could continue.

Drug Reps Misconception: HIPAA prohibits drug reps

from coming into the back office. Fact: Given that reasonable efforts have been

made to prevent incidental disclosures (to other patients, fax repairman, etc.), HIPAA does not prohibit such activity. HIPAA does, however, prohibit sharing PHI with drug reps (and others) without patient authorization.

Prescriptions Misconception: Friend can’t pick up

prescription without written permission (authorization) from patient.

Fact: Specifically allowed in HIPAA.

Family Misconception: Doctor can’t talk to family

about patient without written permission. Fact: Specifically allowed in HIPAA unless

patient objects.

Medical Decisions Misconception: HIPAA sets new rules for who

can make medical decisions for patients. Fact: HIPAA defers such decisions 100% to

state law.

Medical Records Misconception: Medical Records department

can’t send records to MD office for follow-up without patient authorization.– Newspapers report “lengthy and complicated legal

forms are required.” Fact: Any PHI may be disclosed to any health

care provider for treatment purposes without patient permission of any kind.– Note: does not conflict with state law which MAY

require such permission.

Marketing Misconception: HIPAA prevents any marketing

activity without patient permission. Fact: New definition of “marketing” excludes

most activity commonly thought of as marketing as long as it has something to do with health.– e.g., drug switch letters are not “marketing” under

the privacy rules.

Costs Misconception: Complying with HIPAA is

extremely costly and will push health care organizations to bankruptcy.

Fact: Most requirements of HIPAA privacy are things that should already be in place. Cost of new documentation requirements are more than offset by savings from implementation of transaction standards.

Directory Misconception: HIPAA does not allow a hospital

to list patients in their directory without their explicit permission.

Fact: Although the patient must be given the opportunity to object, no permission is required.– Routinely, when asked for by name, hospital may

disclose location and general condition of patient.– If patient objects, no information may be disclosed

without authorization.

Clergy Misconception: Clergy cannot get a list of

patients with their religions. Fact: Unless a patient objects, clergy may

receive a list of patients with their location, general condition, and religious preference.– If a patient objects, they must be left off such a list.

Mandated Disclosures Misconception: HIPAA mandates new

disclosures (including to law enforcement) and removes the right to consent.

Fact: HIPAA requires disclosure of PHI in only two cases:– Patient access to their own PHI is required.– HHS access to PHI when investigating a complaint.

– All other use and disclosure is permissive -- NOT required.