HIPAA Myths: Do you know what’s true?

In healthcare, HIPAA has obtained a very well known status.  I sometimes compare HIPAA in healthcare to Miranda rights in the criminal context.  Everyone has heard of it and knows that it is referred to often, but does that actually lead to understanding.  Confusion about the scope of HIPAA can lead to frustration because individuals are denied access to their medical records or certain actions are denied.

A popular topic of discussion, therefore, surrounding HIPAA are myths that develop about what HIPAA does or does not do.  Over the next couple of blog posts, I will explore some common myths about HIPAA and try to explain the truth behind what the law and its implementing regulations actually do.  See how you do as you read along.

Myth#1 – HIPAA prevents your medical providers from sharing medical information without your permission;

This is FALSE.  Under the HIPAA Privacy Rule, covered entities and their business associates (these are the individuals or entities actually subject to HIPAA) may share protected health information for certain purposes without offering an opportunity to or needing authorization.  Treatment is one of those instances.  Treatment covers the provision of medical services, including obtaining consultations and making referrals.  To facilitate treatment, records often need to be shared and this would be overly complicated if an individual had to consent each time their providers wanted to share records.

Myth #2 – Providers cannot share your protected health information with your family members or caregivers without your permission.

This is FALSE.  With a clear authorization from the affected individual, that person can direct that their protected health information be shared with whomever they identify.  Additionally, the HIPAA Privacy Rule contains a specific section (45 CFR § 164.510(b)) that covers disclosures to individuals involved in a person’s care.  While there are instances where the opportunity to object must be provided, an affirmative authorization does not need to be given.  Therefore, HIPAA does not prevent the sharing of health information.

Myth #3 – HIPAA prevents providers and individuals from communicating by email.

This is FALSE.  HIPAA does not prevent email communication.  HIPAA does include requirements for the protection of electronic protected health information, including a very strong recommendation/suggestion that any transmittal or storage of electronic protected health information be encrypted.  However, HIPAA also enables an individual to direct their provider how to communicate information, which request must be honored by the provider.  For a more in-depth discussion of HIPAA and email concerns, check out the post I wrote for HITECH Answers.

Myth #4 – HIPAA prohibits providers from announcing a patient’s name in the waiting room.

This is FALSE.  HIPAA does not prevent the use of a patient’s name when calling them back to the exam room.  However, discretion is still advisable to not announce a patient’s condition or the treatment that will be provided when calling the patient back.  If this myth were true, it would place an unreasonable burden and restriction on the operation of a provider’s office.  This is one example where HIPAA’s requirements are exaggerated and create unnecessary concerns.

Myth #5 – HIPAA prevents a provider from charging an individual for obtaining a copy of their medical record.

This is FALSE.  HIPAA gives an individual the right to obtain a copy of their medical record and requires that the copy not only be provided in a certain amount of time, but also in the format requested by the individual.  However, HIPAA recognizes that their may be costs in time and supplies to make the copy and allows the provider to charge a “reasonable” fee.  The Privacy Rule sets forth certain criteria that may be sued in determining that fee, but the copy is clearly not free.  When setting that charge though, HIPAA is not the only concern.  State laws may interpose more restrictive provisions and those requirements, where more restrictive, will control over the HIPAA requirements.

For more HIPAA myths, be sure to watch for my next post, which will go into 5 more common myths.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Business, HIPAA, HITECH, Regulations and tagged , , , , , . Bookmark the permalink.

2 Responses to HIPAA Myths: Do you know what’s true?

  1. Pingback: HIPAA Myths Part 2: More Testing of Your Knowledge | Mirick O'Connell Health Law Blog

  2. Pingback: HITECH Answers: Meaningful Use, EHR, HIPAA News - HIPAA Myths

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s