HIPAA-Ready Reference
<This is intended to be either a wall chart or screen to allow office personnel to easily identify common HIPAA activities that relate to daily operations. These situations commonly arise in physicians, clinics, and hospitals. However many of them may still apply to you if you are not a physician’s practice. Please customize this document to fit the needs and procedures of your office>
Situation—Privacy / Brief Description of HIPAA Event /From the Patient Perspective
New Patient calls to make appointment / 1) See Minimum necessary Procedure (for use and disclosure of information to make appointment).
2) Notice of Privacy Practices if any "treatment" prior to first physical encounter.
New Patient presents for appointment / 1) Notice of Privacy Practices
2) Good faith effort to obtain a written acknowledgement of receipt (or document failure to obtain)
3) Consent(optional)
A patient first seen in the hospital presents for follow up visit / 1) Notice of Privacy Practices
2) Good faith effort to obtain a written acknowledgement or receipt (or document failure to obtain),
3) Consent [optional],
4) If not in OHCA with hospital, may have NPP acknowledgment from hospital encounter.
Patient requests restriction to the U/D of their PHI / 1) See Policy and Procedure-Request Special Privacy Protections;
2) You must reasonably consider all requests;
3) Use Request Special Privacy Protections form to document and track
Patient presents with family member/friend involved with their care / 1) Permissible verbal communication, see Procedure Manual for Verbal Permission;
2) Ask patient if they agree to family member or friend participating in care.
3) Ask patient if this will be a one time permission or long term.
4) Document permission. If long term consider whether an Advanced Directive is necessary.
5) Also, follow Minimum Necessary Procedure for disclosures not consented to
A patient requests designation of personal representative / See Personal Representative procedure..
Patient requests confidential (alternative modality- location) communication channel / 1) See Procedure for alternative confidential communication channel;
2) Use Confidential Communication Channel Request form.
3) Do not intimidate patient or ask for reason for request. Consider requests according to Procedure.
A patient’s spouse calls to inquire about lab results / 1) Permissible only if spouse has been documented as participating in patient’s care, or if this is an emergency situation.
2) Use reasonable means to verify identity of caller.
3) If patient is incapacitated see Procedure for personal representatives.
4) Follow minimum necessary policy.
5) If circumstances require, physician can use their professional judgment in releasing information.
A patient’s spouse calls to inquire about the patient's diagnosis / 1) See Personal Representative Procedure.
2) Is there documentation on file permitting spouse access?
3) Determine if this is an emergency situation or patient is incapacitated. (professional judgment can prevail).
4) Disclose minimum necessary for purpose.
A baby sitter presents with a child who is ill / 1) The baby sitter is not a personal representative or a legal guardian.
2) Use professional judgment to provide care to the patient and inform babysitter about care.
3) As soon as possible notify parents or legal guardians.
4) Can be considered caregiver under 164.510(b)(3); is there documentation on file permitting disclosure to the babysitter by the parent?
A divorced parent requests information about their child’s treatment / 1) Determine if this parent has custody rights and is therefore a legal guardian.
2) See Personal Representative Procedure.
3) Always verify identity if practice does not recognize parent.
Residential facility for developmentally disabled adults requests information / 1) See Access Request Processing Procedure;
2) Use Request for Access form;
The office calls a patient with lab or test results / 1) Determine if an Alternative Confidential Communication Channel exists; if so use that channel.
2) If not communicating directly to the patient (for example leaving a voice mail message) only leave a message asking for a call back, unless your Notice of Privacy Practices indicates you will call with basic results (positive or negative).
3) In all cases use minimum necessary procedure.
Patient requests review of records / 1) See Access Request Processing Procedure;
2) Use Request for Access form.
The office denies the patient’s inspection or it is limited / 1) See Access Request Processing Procedure;
2) Use Request for Access form
Patient appeals the above denial / 1) See Access Request Processing Procedure;
2) Use Request for Access form
Records are copied / 1) See Access Request Processing Procedure;
2) Use Request for Access form
3) Charges for copies must be compliant with these procedures.
Patient requests access to records when you know the patient is suing you for medical malpractice / 1) See Access Request Processing Procedure;
2) Use Request for Access form
3) Also, contact professional liability carrier and follow their counsel
Patient requests access to Mental health records / 1) See Access Request Processing Procedure;
2) Use Request for Access form
Office requests records or PHI from another entity / 1) See Minimum Necessary Procedure.
2) If request is for treatment purposes minimum necessary does not apply.
Patient requests amendment/addendum to PHI / 1) See Amendments to Protected Health Information Procedure.
2) Use Request for Amendment form.
State law requires office to report certain communicable diseases / 1) Notice of Privacy Practices should contain language informing patient of this requirement;
2) Since this is a disclosure for public purposes track using the Disclosure Accounting Log
It becomes necessary to discuss a patient’s care with another staff member within earshot of other patients / 1) Use Appropriate administrative and physical safeguards (164.530c1);
2) Attempt to speak softly or find an isolated location if possible.
3) Incidental disclosures acceptable if basic safeguards are in place.
Office calls a patient to remind them of the appointment / 1) Determine if an Alternative Confidential Communication Channel exists; if so use that channel.
2) If not communicating directly to the patient (for example leaving a voice mail message) follow Minimum Necessary Procedures.
Attorney requests records / 1) Follow Obtaining Written Authorization Procedure (to ensure that a valid authorization is obtained)
2) Follow Verification of Identity policy by asking for patient to sign form.
3) Follow Minimum Necessary Procedure.
Department of Child Welfare requests records / 1) Verify identity of requestor if request is not in writing.
2) Permissible access for public purposes; determine if it is a valid request;
3) Does patient or parent consent?
4) Follow Minimum Necessary Procedure.
5) Track using the Disclosure Accounting Log.
Out of state request by a public agency / 1) Verify Identity if request is not in writing.
2) Determine legality-notify practice’s attorney, professional liability carrier.
3) Does patient or parent consent?
4) Follow Minimum Necessary Procedure.
5) Track using the Disclosure Accounting Log.
School requests records / 1) Authorization required unless records given to patient/parent.
2) Follow Minimum Necessary Procedure unless request is for emergency treatment or care.
Records are subpoenaed / 1) Permissible access for public purposes, law enforcement.
2) Follow minimum necessary Procedure if there is any ambiguity in the request.
3) Track using the Disclosure Accounting Log.
Life or Disability carrier requests records / 1) Follow Obtaining Written Authorization Procedure.
2) Verify identity by requesting patient sign Authorization Form.
3) Follow Minimum Necessary Procedure.
Health insurance or disability insurance carrier requests records for underwriting / 1) Follow Obtaining Written Authorization Procedure.
2) Verify identity by requesting patient sign Authorization Form.
3) Follow Minimum Necessary Procedure.
HHS investigator requests records / 1) Mandatory disclosure, no permission needed.
2) However should trigger notification of Professional Liability carrier, State Medical society and practice attorney
Patient complains about violation of their privacy / 1) Follow Complaint Processing Procedure.
2) Use Complaint Form.
3) Requires high level attention. Do not intimidate patient.
Patient requests accounting of disclosures of PHI / 1) Follow Disclosure Accounting Processing Procedure
2) Use Request for Disclosure Accounting Form.
Situation—Privacy / Description /
From the Entity’s Perspective
Initiating a HIPAA compliance Privacy and Security audit and/or getting a new Privacy/Security official. / 1) Governance of organization should formally approve project/selection of official.
2) Policy and Procedure documents should reflect name of Privacy and Security Official.
3) Use the Audit PrivaGuide and the Audit Checklist to conduct your HIPAA compliance Audit
Initiating a HIPAA compliance project and appointing the Privacy official. / 1) Governance of organization should formally approve project/selection of official.
2) Policy and Procedure documents should reflect name of Privacy Official.
Hire a new office manager (where the job description of the office manager is also that of the privacy official) / 1) If the specific name of the Privacy Official is listed in the Notice of Privacy Practices, revise and publish new Notice.
2) Update the practices job description/duties to reflect new personnel.
3) Ensure Privacy Official is trained and document training (See Workforce Training Procedure).
New hire of staff / Follow Workforce Training Procedure.
Repair person enters office / 1) Use Appropriate physical and administrative safeguards.
2) Use Sign In Sheet for Non-Workforce Personnel and accompany repairman.
3) Determine if this repair person is also a business associate and ensure that a BA agreement is in place.
Routine staff meetings / 1) Integrate HIPAA Workforce Training into routine meetings;
2) Specifically review current privacy events in the practice.
Termination of staff / 1) Review confidentiality agreement that employee signed with organization.
2) Follow appropriate administrative, technical and physical safeguards such as requesting return of keys, change security codes and passwords.
Termination of the office manager (where the job description of the office manager is also that of the privacy official) / 1) Identify and document who will assume Privacy Official duties.
2) If Privacy Official is named in the Notice of Privacy Practices, revise and publish new Notice.
A request to fax records is received from another physician (where the physician is not someone the practice has referred the patient to). / 1) Verify identity of physician requesting records and fax number by asking for the request to be faxed in writing.
2) Confirm with patient physician is involved in treatment.
3) Send records as requested.
A Coroner or medical examiner requests information on a patient / 1) Identify requestor and verify the request.
2) Permissible and covered under CFR 164.512(g)(1).
3) Follow Minimum Necessary Procedure.
Funeral director or home requests information on a patient / 1) Verify identity if request is not in writing.
2) Verify they represent the deceased.
3) If so, it is permissible to release information.
An organ bank requests medical records for a deceased patient / 1) Identify and verify request.
2) Permissible to release information.
3) Follow Minimum Necessary Procedure.
A deceased patient’s estate requests medical records / 1) Confirm identity and legal status of executor or administrator.
2) Permissible to release information.
3) Follow Minimum Necessary Procedure.
Reviewing charts to determine candidates for clinical trials / 1) Notice of Privacy Practices must indicate this use of protected health information.
2) Follow Privacy Rules on access to PHI in the practice.
Enrolling patients in a clinical trial / Authorization required unless it is combined with the Institutional Review Board or Privacy Board’s consent and authorization.
A large employer requests the medical records of a patient / 1) Determine if the employer is self-funded and thus acting as a health plan.
2) Determine if you have a payer contract with the administrator for this employer (it could be via a PPO network) that provides for your disclosure of PHI.
3) If employer is determined to be a health plan and request is for payment, Notice covers this disclosure.
4) Otherwise, authorization required; follow Authorization Procedure and Minimum Necessary Procedure.
Completing a request for medical records from a life insurance, disability or similar underwriter / 1) See Policy and Procedure on Obtaining Written Authorization;
2) Use Authorization form.
3) Ensure office provides information in compliance with its procedure for minimum necessary disclosure.
A work comp carrier requests a copy of the patient’s medical record / 1) Worker’s Compensation access to PHI is permissible subject to state laws on disclosures. Most workers’ compensation records are excluded from HIPAA.
2) Track using the Disclosure Accounting Log.
Contracting to do pre-employment physicals / 1) See Policy and Procedure on Obtaining Written Authorization;
2) Use Authorization form.
Sending recall notices to patients / 1) Appropriate Administrative and Physical safeguards.
2) Recall notice should have limited information. (Follow Minimum Necessary Procedure).
Marketing new services to patients / 1) Permissible if related to treatment.
2) Current Notice of Privacy Practices must contain disclosure regarding this kind of marketing
A health plan requests names of patients with a specific condition for enrollment in their disease management program / 1) Determine if this is for treatment purposes.
2) Is the program one that your office is affiliated with and involved in and must participate in by virtue of its contract with the health plan?
3) If so it is permissible but Notice of Privacy Practices should incorporate this as an example.
4) Follow minimum necessary procedures.
A disease management company working with an employer requests names of patients with a specific condition for enrollment in their disease management program / 1) Verify identity of company and requestor by asking for this in writing.
2) Verify if employer is a health plan.
3) If so release information but follow minimum necessary procedures.
4) If the disease management company is not the health plan (employer) obtain an authorization.
Another physician’s office requests billing information on a patient you are no longer actively treating / 1) Verify identity of other practice by asking for the request in writing (if other practice is not one you are familiar with).
2) Permissible to release information but follow minimum necessary procedures.