HIPAA (Health Insurance Portability and Accountability Act) was signed into law 22 years ago. HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for HIPAA compliance. Here are the top 5 of the most frequent, and frustrating, HIPAA misperceptions seen during 2017:
1. “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement."
Answer: HIPAA allows PHI to be used or disclosed for treatment, payment and health care operations purposes, but the term “health care operations” is defined to include specific activities of the covered entity performing them. However, if the covered entity (or business associate) is looking to a third party to perform activities that involve the use or disclosure of PHI, a Business Associate Agreement is needed.
2. “I don’t need to worry about HIPAA if I’m only disclosing a patient’s/member’s telephone number, since that’s not PHI.”
Answer: If the data disclosed was ever PHI, it’s still PHI (unless it has been de-identified in accordance with 45 C.F.R. 164.514).
3. “When a doctor leaves a practice, she can take her patients’ medical records with her.”
Answer: In most cases, the practice entity transmits health information in electronic form in connection with a HIPAA transaction and acts as the covered entity health care provider responsible for HIPAA compliance. A patient can access his or her records and direct that they be sent to the departing physician and if the patient shows up in the departing doctor’s new office, the practice can share the patient’s PHI under the “treatment” exception. If the practice wants the departing doctor to maintain the records of patients she treated while part of the practice, it can enter a records custodian agreement and Business Associate Agreement with the departing doctor.
4. “I can disclose PHI under the “sales exception” to anyone involved in due diligence related to the sale of my health care practice/facility without getting a Business Associate Agreement.”
Answer: HIPAA prohibits the sale of PHI but excluded from this prohibition is the definition of health care operations. This includes the “sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.” Attorneys, consultants, banks, brokers and even potential buyers should consider whether they are acting as business associates, and careful buyers and sellers may want to require Business Associate Agreements with those accessing PHI.
5. “If I’m treating an overdose victim [or other unconscious or incapacitated person], I can’t share his/her PHI with family members or caregivers.”
Answer: HIPAA allows the disclosure of PHI information in these circumstances: (1) where the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and (2) where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety. HIPAA permits providers to exercise discretion in crisis situations.
For more information, please click here.