HIPAA home

HIPAA at UI Hospitals and Clinics

Privacy notice--English

Privacy notice--Spanish

Frequently asked questions

Staff information

On-line blackboard course

Contact us



    

 

HIPAA--Frequently asked questions

  1. Generally what does the Privacy Rule require the hospitals and clinics to do?
  2. Can staff still call out the names of patients in the waiting rooms?
  3. Can staff engage in confidential communications with other health care providers or patients even if there is a possibility they may be overheard?
  4. Are we required to give the patient a copy of the Privacy Notice at each visit?
  5. Can patient's information be faxed to another provider?
  6. Can patient charts be maintained at bedside or outside of exam rooms, displaying patient names on the outside of patient charts or displaying patient care signs (e.g. "high fall risk" or "diabetic diet") at patient bedside or at doors of hospitals rooms?
  7. We customarily display patient's names next to the door of the hospital room that they occupy. Will the HIPAA Privacy Rule allow this to continue?
  8. May staff release a patient's information to family or friends calling to ask about a patient?
  9. What "incidental disclosures" are allowed under the Privacy Rule?
  10. Are whiteboards and other patient schedules allowed?
  11. Is UI Hospitals and Clinics required to give the Notice of Privacy Practices to every patient or just post it in the waiting room and give a copy to those patients who ask for it?
  12. Can a patient have a family or friend pick-up a prescription for her at the pharmacy?
  13. Does the HIPAA Privacy Rule require hospitals to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
  14. Do we need authorizations for appointment reminders under the HIPAA Privacy Rule?
  15. Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?
  16. Are health care providers restricted from consulting with other providers about a patient's condition without the patient's written authorization?
  17. Is it a violation of HIPAA to share information about a patient with a co-worker?
  18. How do I ask more questions about HIPAA?

Generally what does the Privacy Rule require the hospitals and clinics to do?

  • Notify patients about their privacy rights and how their health information can be used
  • Adopt and implement privacy policies and procedures
  • Train employees regarding the privacy policies and procedures
  • Designate a Privacy Officer
  • Secure patient records

Can staff still call out the names of patients in the waiting rooms?

Yes. The rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure after UI Hospitals and Clinics has applied reasonable and appropriate safeguards.

Can staff engage in confidential communications with other health care providers or patients even if there is a possibility they may be overheard?

Yes. The Privacy Rule is not intended to prohibit health care providers from talking to each other and to their patients. The Rule requires that we implement reasonable safeguards, such as, lowering your voice or moving to a more private area. However, the Rule also recognizes that oral communications must occur freely and quickly in treatment settings as required for quick, effective, safe, and high quality health care.

Are we required to give the patient a copy of the Privacy Notice at each visit?

No. The patient must receive the Privacy Notice at their first encounter at UI Hospitals and Clinics starting April 14, 2003. However, the notice will be available on the UI Health Care web site and at all check-in and registration locations throughout the hospital. Patients are welcome to pick up or request a copy of the Notice at any time.

Can patient's information be faxed to another provider?

Yes, but reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of patient's PHI must be in place. For example, call before sending the fax to confirm the fax number is accurate and that someone is there to receive the fax. The fax cover sheet should contain a confidentiality statement. Our own fax machines should be in a secure location to prevent unauthorized access to PHI.

Can patient charts be maintained at bedside or outside of exam rooms, displaying patient names on the outside of patient charts or displaying patient care signs (e.g. "high fall risk" or "diabetic diet") at patient bedside or at doors of hospitals rooms?

Maybe. Reasonable safeguards are needed. For example: access should be limited to these patient care areas. Ensure the area is supervised and escort non-employees through the area. Place patient charts in their holders facing the wall or otherwise covered rather than having patient information visible to anyone who walks by.

We customarily display patient's names next to the door of the hospital room that they occupy. Will the HIPAA Privacy Rule allow this to continue?

Yes. The Privacy Rule explicitly permits certain incidental disclosures. In this case disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely occur due to the posting of the patient's name is considered an incidental disclosure and therefore allowed under the law.

May staff release a patient's information to family or friends calling to ask about a patient?

If the patient is an in-bed patient, staff must check to see whether that patient has opted out of the facility directory prior to releasing any information about the patient. If the patient has opted out, the appropriate response is, "there is no information available for that name."

If the patient has not opted out, staff should use their professional judgment before releasing any information. Staff should be satisfied that the inquiring person has the authority to receive that patient's information. For example, if a person calling in states that she is the patient's sister, she should know personal information about the patient such as the birth date, address, etc. If possible, staff should ask the patient if she/he wants their information given to the person requesting it. We would always rather have someone get upset for not giving out a patient's information, rather than giving information to someone who does not have the authority to receive it and therefore, breaching the patient's privacy.

What "incidental disclosures" are allowed under the Privacy Rule?

Incidental disclosures are permitted only to the extent that reasonable and appropriate safeguards have been applied and the minimum necessary standard has been implemented. Disclosure of patient names outside of patient hospital rooms is the minimum necessary. There do not appear to be additional safeguards that would be reasonable to take in the circumstances. Each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.

Are whiteboards and other patient schedules allowed?

Whiteboards and other patient schedules should be located in an area not readily visible to the public.

Is UI Hospitals and Clinics required to give the Notice of Privacy Practices to every patient or just post it in the waiting room and give a copy to those patients who ask for it?

HIPAA requires that we give our Notice of Privacy Practices to every individual the first time they have an encounter at UI Hospitals and Clinics. We are required to make a good faith effort to obtain the individual's written acknowledgment of receipt of the Privacy Notice. We must post the notice in a clear and prominent location where individuals are likely to see it and make the notice available to anyone who asks for a copy.

Can a patient have a family or friend pick-up a prescription for her at the pharmacy?

Yes. Pharmacy staff may use their professional judgment and experience in allowing a person other than the patient to pick up a prescription. For example: the fact that a relative or friend arrives at the pharmacy and asks to pick up a specific prescription for an individual verifies that she in involved in the individual's care.

Does the HIPAA Privacy Rule require hospitals to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?

No. The Privacy Rule does not require these types of structural changes be made to facilities. However, appropriate administrative, technical and physical safeguards must be in place to protect the privacy of PHI. We must make reasonable efforts to prevent uses and disclosures not permitted by the Rule.

Examples of types of adjustments or modification that may be reasonable are:

  • Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling.
  • Use of cubicles, dividers, shields, curtains, or similar barriers may help safeguard patient-staff communications in areas where multiple encounters routinely occur.
  • Patient files should be in supervised or locked areas.

Do we need authorizations for appointment reminders under the HIPAA Privacy Rule?

No. Appointment reminders are considered part of treatment of an individual and can be made without an authorization. Staff may leave a message reminding a patient of their appointment on the patient's home phone, answering machine, or with a household member, unless the patient has made a specific request for the hospital to use a different number or to not leave a message at that phone number. Staff should leave the minimum amount of information necessary.

Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?

No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment of the individual.

Are health care providers restricted from consulting with other providers about a patient's condition without the patient's written authorization?

No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule's definition of treatment and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider's treatment of the individual.

Is it a violation of HIPAA to share information about a patient with a co-worker?

It depends. In general, HIPAA requires that the minimum necessary information be shared to get the job done, unless the information is needed for treatment. Information may only be shared with co-workers if they need to know the information to do his/her job.

How do I ask more questions about HIPAA?

You may call the Joint Office for Compliance at 384-8282 with questions.

  

Email this Page | We Welcome Your Comments | Site Index A-Z
The University of Iowa | Copyright & Disclaimer Statements
printer Printer Friendly page

University of Iowa Hospitals and Clinics
200 Hawkins Drive
Iowa City, Iowa 52242

Last modification date: Thu Oct 19 14:39:14 2006
URL: http://www.uihealthcare.com /depts/hipaa/qanda.html