Frequently Asked Questions - HIPAA
Question: What does the Privacy Rule do?
Answer: Health professionals and health care institutions are already cognizant of protecting the confidentiality of patient information. The Privacy Rule creates a single national standard for protection of individuals’ medical records and other personal health information. Specifically:
- It gives patients more control over their health care information
- It creates boundaries for the use and release of health records
- It identifies safeguards that health care providers and others must establish to protect health care information
- It establishes penalties for violations of patients’ privacy rights
- It enables patients to find out how their information is being used
- It limits release of information, in general, to the minimum reasonable necessary for the purpose of the disclosure
- It gives patients rights regarding their records, including the right to complain if an unauthorized disclosure is made
Question: What general uses will be made of my health care information?
Answer: Your protected health information will be used for patient care (treatment), for billing purposes, and for “operations” which includes things like quality assurance activities, auditing of records, and use of records by students who are participating in care as part of their educational program.
Question: What was the reasoning behind the HIPAA statute?
Answer: In enacting HIPAA, Congress was reacting to the change in culture and technology. In the past, confidential medical information was kept in paper records in locked file cabinets and it was relatively easy to protect the actual paper record. Although health care providers and practitioners have a strong tradition of safeguarding confidential information, based on ethical and legal requirements, personal information now moves from providers’ offices to hospitals, insurers or third party payers, via electronic transmission across state lines. Under the patchwork of state laws that existed prior to HIPAA and the Privacy Rule, personal health information could be distributed, without either notice or authorization, for purposes that had nothing to do with a patient’s medical treatment. For example, unless otherwise forbidden by a state or local law, without the Privacy Rule, health care information could be passed along to a lender who could then deny the patient’s application for a home mortgage. State laws which provide stronger protection than the Privacy Rule will continue to apply over and above the new federal privacy standards.
Question: I received a notice and a form to sign from Staff Benefits. What does it mean and do I need to sign it?
Answer: Staff Benefits is a “covered entity” under the rules, so the benefits office is required to send out a privacy notice. It is a covered entity because it processes protected health information in the course of administering things like the catastrophic leave program, the flexible spending account program, etc. The one-page authorization form is for you to sign IF you want a spouse or other person to be able to get information about your benefits status from the staff benefits office. You do not have to sign it and it does not automatically release information. This must be signed if, for example, you want your spouse or partner to be able to call the benefits office and find out if there is any money left in the flexible spending account.
Question: I have students at UIHC. Do they need to undergo HIPAA Training at the hospital? Do I as a faculty member?
Answer: Yes. If you are a student or faculty member with clinical responsibilities at UIHC you will need to receive the HIPAA Training program offered by the Joint Office for Compliance. The programs will be integrated into the curriculum for students starting in the fall.
Question: What about students who have practicum experiences other places? Do they need HIPAA training?
Answer: Yes. Students are considered members of the “workforce” of the agency where they are doing the clinical experience. The students will need to be trained in the policies and procedures of that agency. We can offer “basic training” in the general Privacy Rule
Question: I do research. What does HIPAA mean to me?
Answer: The Privacy Rule affects records research significantly and the HIPAA Privacy Officer and the IRB are working to implement the rules and develop resources for researchers. If you are involved in a study approved prior to the effective date of the rules (April 14, 2003), that study can proceed without changes. If you are initiating a new study involving records research, there are additional documentation requirements that are being added to the forms that are submitted to the IRB. We have a “links” section on this site that may be helpful and we offer a training program for investigators. You can also call the HIPAA Privacy Officer with any questions.
Question: Can information on patients still be FAX’ed to a referring physician or communicated by telephone?
Answer: The Privacy rules permit disclosure of protected health information for treatment purposes. This can be done by written, oral, or electronic means including FAX transmission. Covered entities must have systems in place that are reasonable and appropriate to safeguard the privacy of the information being transmitted. For example, the sender should confirm that a FAX number is correct; the identity of a person to whom information is given over the phone must be confirmed if information is given at all (there should be policies on this); Fax machines must be in secure locations, and telephone disclosures should not be made where they can be overheard. The standard, according the rules, is “reasonable and appropriate administrative, technical and physical safeguards.”
Question: Can parents see their children’s records under the Privacy Rule?
Answer: Yes, the Privacy Rule generally allows a parent to have access to the health care records of his or her minor child as the child’s “personal representative” when access is not inconsistent with state or other applicable law.
There are three situations when the parent would not be the child’s personal representative under the Privacy Rule. These exceptions are:
1) when the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law;
2) when the minor obtains care at the direction of a court or a person appointed by a court;
3) when a parent agrees that the child and the care provider have a confidential relationship. Even in these situations, a parent may have a right of access if state or other law provides for it. If questions arise in specific cases, contact the Privacy Officers.
As is always the case, if disclosure would endanger the child, such as in a case of abuse or neglect, the provider should act in a way that will protect the child. Questions should be directed to the Privacy Officers.