MLN Matters® Number: SE0726 Revised
Related Change Request (CR) #: N/A
Related CR Release Date: N/A
Effective Date: N/A
Related CR Transmittal #: N/A
Implementation Date: N/A
Note: This article was revised on May 11, 2009, to reflect updated Web addresses for several products referenced in the article.
Provider Types Affected
Physicians, providers, and suppliers who bill Palmetto GBA for services provided to Medicare beneficiaries
Provider Action Needed
The purpose of this Special Edition (SE) article, SE 0726, is be sure that heath care providers are aware of the helpful guidance and technical assistance materials the U.S. Department of Health and Human Services (HHS) has published to clarify the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), specifically, the educational material below. Remind individuals within your organization of:
- the Privacy Rule’s protections for personal health information held by providers and the rights given to patients, who may be assisted by their caregivers and others, and
- that providers are permitted to disclose personal health information needed for patient care and other important purposes
HHS Privacy Guidance
HHS’ educational materials include a letter to healthcare providers with the following examples to clarify the Privacy Rule.
HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes.
Providers can freely share information with other providers where treatment is concerned, without getting a signed patient authorization. Clear guidance on this topic can be found in a number of places:
HIPAA does not require providers to eliminate all incidental disclosures:
- The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures. That is why, in August 2002, HHS adopted specific modifications to that Rule to clarify that incidental disclosures do not violate the Privacy Rule when providers and other covered entities have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.
- OCR guidance explains how this applies to customary health care practices, for example, using patient sign-in sheets or nursing station whiteboards, or placing patient charts outside exam rooms. At the HHS/OCR Web site, see the FAQs in the "Incidental Uses and Disclosures" subcategory; search the FAQs on terms like "safeguards" or "disclosure"; or review the Fact Sheet on "Incidental Disclosures". The fact sheet is at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html.
HIPAA does not cut off all communications between providers and the families and friends of patients:
- Doctors and other providers covered by HIPAA can share needed information with family, friends, or with anyone else a patient identifies as involved in his or her care as long as the patient does not object
- The Privacy Rule also makes it clear that, unless a patient objects, doctors, hospitals and other providers can disclose information when needed to notify a family member, or anyone responsible for the patient's care, about the patient's location or general condition
- Even when the patient is incapacitated, a provider can share appropriate information for these purposes if he believes that doing so is in the best interest of the patient
- Review the provider’s guide on communications with a patient’s family, etc. at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf (PDF, 59 KB)
HIPAA does not stop calls or visits to hospitals by family, friends, clergy or anyone else:
- Unless the patient objects, basic information about the patient can still appear in the hospital directory so that when people call or visit and ask for the patient, they can be given the patient's phone and room number, and general health condition
- Clergy, who can access religious affiliation if the patient provided it, do not have to ask for patients by name
- See the FAQs in the "Facility Directories" at www.hhs.gov/ocr/privacy/hipaa/faq/administrative/485.html
HIPAA does not prevent child abuse reporting:
Doctors may continue to report child abuse or neglect to appropriate government authorities. See the explanation in the FAQs on this topic, which can be found, for instance, by searching on the term "child abuse;" or review the fact sheet on
HIPAA is not anti-electronic:
Doctors can continue to use e-mail, the telephone, or fax machines to communicate with patients, providers, and others using common sense, appropriate safeguards to protect patient privacy just as many were doing before the Privacy Rule went into effect. A helpful discussion on this topic can be found at www.hhs.gov/hipaafaq/providers/smaller/482.html.
Additional Information
Disclaimer
This article was prepared as a service to the public and is not intended to grant rights or impose obligations. This article may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations and other interpretive materials for a full and accurate statement of their contents. CPT only copyright 2007 American Medical Association.