Schools | News Events | UMDNJ Resources | Employment | Foundation | Alumni schools news resources alumni foundation employment search
Research Education Health Care President's Page
 

 

HIPAA - Frequently Asked Questions

General Information About HIPAA

1. What is HIPAA?

“ HIPAA” stands for “the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.” HIPAA is a federal law. HIPAA includes three sets of rules: Administrative Simplification (Transactions and Code Sets), Privacy, and Security. The HIPAA Privacy Rule, which affects the delivery of health care services and operations, requires protection of patient information so as not to interfere with patient access to, or the quality of, health care delivery.

2. What is Protected Health Information (“PHI”)?

PHI is health information that can be identified with a specific individual that is transmitted or maintained in electronic or any other media. PHI under HIPAA is very specific and includes names, telephone numbers, address, dates directly related to an individual, e-mail addresses, medical record, account and social security numbers, automobile license plate and serial numbers, as well as others.

3. What is a covered entity?

A covered entity is a healthcare provider, health plan or health care clearinghouse that transmits PHI electronically for purposes of billing, claims payments, remittance, authorization, pre-certification or other electronic services.

4. What is TPO?

“TPO” stands for “Treatment, Payment, and Healthcare Operations.” TPO activities make up the core activities in the delivery of health care. Covered entities use and disclose PHI for use in treatment, payment processing, and healthcare operations without obtaining permission from the patient.

5. What is NPP?

“NPP” stand for the “Notice of Privacy Practices.” HIPAA requires covered entities to advise patients of the covered entity’s privacy practices and the patient’s rights under HIPAA. The notice must include a clear explanation of (1) how a covered entity may use and disclose protected health information about an individual, (2) patients’ rights with respect to personal health information, (3) a covered entity’s obligations regarding personal health information, and (4) who a patient can contact for more information about the organization’s privacy policies.

6. Must I give the NPP each time a patient comes into the office?

Providers must give the NPP to the patient on the first date of service, as of April 14, 2003, or as soon as practicable in an emergency situation. A provider must make a good faith effort to obtain a written acknowledgement of receipt of the NPP from a patient. If the acknowledgement is not received, the provider must document why it was not obtained. Providers must post the NPP in a prominent place at their office and on any web site that provides information about customer services. Changes in the NPP do not need to be sent to every patient, but providers must post their most recent NPP in a prominent place in their office and distribute to new patients.

7. Who enforces the HIPAA laws and regulations?

The federal Office of Civil Rights, the Secretary of Health and Human Services, and the Department of Justice if criminal violations of HIPAA are alleged, enforce patient Privacy Protections under HIPAA.

8. What are the consequences of non-compliance?

There are various types of consequences if HIPAA rules are violated including, patient complaints, civil monetary penalties, and criminal fines and penalties. Patients may choose to file civil litigation alleging violations of privacy and other harms and use the HIPAA requirements as the appropriate standard for insuring confidentiality of PHI.

9. Who can I call with HIPAA-related questions?

Either your Unit Compliance and Privacy Officer or the Office of Ethics and Compliance can answer your questions or refer you to someone who can.

10. What do I do if a person has a HIPAA complaint?

All HIPAA complaints should be directed to your Unit Compliance and Privacy Officer, in accordance with information detailed in the NPP, or to the Office of Business Conduct.


Communications Containing PHI

Communications should meet two standards:

    1. reasonable safeguards and
    2. minimum necessary.

No matter what we are doing or saying, we should make available to other employees or business associates only the least amount (minimum necessary) of information required to meet a specific, legitimate, medical, research or business need. In addition, we should use reasonable safeguards to protect the information from accidental disclosure.

Examples of reasonable safeguards include:

  • storing documents, CDs, diskettes, and tapes so as to limit access to the records to only those who need them,
  • locking file cabinets and offices,
  • positioning computer screens to limit viewing by unauthorized persons or using privacy screens,
  • maintaining copy machines, printers and fax machines that receive and transmit PHI in areas not accessible to unauthorized persons; and
  • using a “CONFIDENTIAL” stamp on materials that contain PHI.

A. Internal Communications

1. Can we use a sign-in sheet?

Yes, as long as the information that is used meets the reasonable safeguard and minimum necessary standards. This means that the sign in sheet must contain only the information that is necessary for the purpose of alerting staff that a patient has arrived, e.g. name and time. It may not include information that is not necessary for that purpose, such as medical information.

2. Can we call for patients in our waiting room, or use a patient’s name at the front desk?

Yes, as long as the information meets the reasonable safeguard and minimum necessary standards. Therefore, staff should limit the call to the patient’s name, and should use the most direct means possible under the circumstance to locate the patient.

3. Can I discuss patient care information with my colleagues or with patients if there is a chance that someone else could overhear me?

Yes, if the information used or disclosed meets the reasonable safeguard and minimum necessary standards. HIPAA recognizes that oral communications have to occur freely and quickly in treatment settings in order to deliver efficient and effective health services. HIPAA refers to overheard communications as “incidental disclosures” and permits them as long as the two standards are met.

Permitted oral communications include:

  • Conversations at the nursing station to coordinate care
  • Conversations with patients in a semi-private room or open clinic
  • Discussions among providers about a patient’s condition, e.g., training rounds.

4. Does HIPAA require providers to restructure offices to avoid any possibility that a conversation will be overheard?

No. Covered entities must use reasonable administrative, technical, and physical safeguards to protect the privacy of PHI. The standard does not require facility restructuring to do so, for example, it does not require private or soundproofed rooms, encryption of wireless communication or telephone systems. Covered entities must review their own practices, assess the administrative or financial burdens incurred from implementing potential safeguards and determine what steps are reasonable for their own settings to implement in order to protect patient privacy. Reasonable safeguards may include the use of cubicles, dividers, curtains or screens where multiple staff-patient communications occur.

5. Can medical offices use patient medical charts at bedside, whiteboards in clinics or chart holders outside of exam rooms?

Yes, as long as the reasonable safeguard and minimum necessary standards are met. This means that providers must restrict access to persons within their control who have a need to know the information, and must restrict how much information is exposed. However, HIPAA allows covered entities to determine what restrictive measures make sense in their particular environment.
Examples of reasonable safeguards in a physician’s office include charts placed in holders with identifying information toward the wall. A whiteboard with patient names may be used in an area where staff congregates, other than a hallway or alcove, if it is not accessible to the public. Non-employees should be escorted through areas where such information is accessible.

In inpatient areas, HIPAA permits patient names or patient care signs (“high fall risk” or “diabetic diet”) to be posted at patient bedside or at the doors of hospital rooms, as long as the facility has reviewed its practice for the reasonable safeguard and minimum necessary standard.

B. Incidental Uses or Disclosures

1. What happens if someone overhears me, or reads patient information that I have left sitting on my desk?

HIPAA refers to these occurrences as “incidental uses or disclosures.” An incidental use or disclosure is a limited use or disclosure that results from another use or disclosure. HIPAA permits incidental disclosures that result when the original use or disclosure was permitted by HIPAA, and could not reasonably be prevented, as long as the covered entity applied reasonable safeguards and the minimum necessary standard to the original use or disclosure.

For example, HIPAA recognizes that health care providers may need to have confidential conversations with other providers or patients, even if there is a possibility they could be overheard, or to use sign-in sheets at a front desk. HIPAA regards these practices as essential communications that allow people to receive the services that are needed. As long as providers take reasonable precautions to protect confidential information and to use only the information needed to communicate the message, HIPAA allows these communications to occur, even though they may result in other patients or the public gaining access to other persons’ PHI. In the example above, HIPAA would expect providers to speak quietly in conversation or to use only patient names on the sign-in sheet.

An incidental use or disclosure as a byproduct of a use or disclosure that is not permitted by HIPAA would be a violation of HIPAA.

2. Are Covered Entities required to document incidental disclosures in an accounting of disclosures to an individual?

No, a covered entity is not required to account for an incidental disclosure if the incidental disclosure was a permitted disclosure under HIPAA.

3. Is a covered entity required to prevent any incidental use or disclosure of PHI?

No. HIPAA requires only that covered entities implement reasonable safeguards to limit incidental uses or disclosures.

C. Communications With Other Providers and Insurers

1. When do I need to get the patient’s permission to share PHI with other providers and insurers?

HIPAA does not require consent or authorization for disclosure of protected health information for the purpose of treatment by any health care provider. HIPAA allows providers to use or disclose PHI in consulting with other providers about the individual’s treatment, without the patient’s specific permission. Under HIPAA, a provider may share PHI without the patient’s authorization for its own payment purposes including to insurers, third party administrators, self-funded insurance plans, collection agencies, and credit reporting agencies. In addition, a provider may disclose PHI to another provider so that the other provider may be paid (for example, to a laboratory who needs insurance information so that it an be paid for the services it provided to the patient under the physician’s orders.) However, under New Jersey law, a provider is required to obtain a patient’s consent to release medical records to others, including other physicians. If you receive a request to transfer medical records, you will need the patient’s specific consent to do so.

2. Can a pharmacist fill a prescription that was telephoned in by a patient’s physician, without the patient’s written consent or authorization, if the patient is new to the pharmacy?

Yes, the physician shared the patient’s PHI for treatment purposes, and HIPAA does not require the physician to obtain the patient’s permission to share PHI for treatment purposes.

3. Is a doctor’s office permitted to call a hospital, surgery center, or other facility, to arrange for the patient to receive care there, without an authorization?

Yes. HIPAA permits a health care provider to disclose PHI about a patient to another provider, without the patient’s authorization, for treatment, payment or health care operations.

4. Can a physician’s office fax PHI to another provider’s office?

Yes. HIPAA permits providers to communicate PHI for treatment purposes without a patient’s authorization.

D. Communications with Friends and Family

1. Can I discuss my patient’s care or payment with friends or members of their family?

A provider may disclose PHI to a relative, friend, or other designated person that is directly relevant to that person’s involvement with the patient’s care, or payment for that care, where disclosure is consistent with state law. However, the provider must first offer the patient an opportunity to limit the individuals with whom a covered entity may disclose PHI, unless the provider can reasonably infer from the circumstances, based on his or her professional judgement that the individual does not object to the disclosure. If the patient was not present for the opportunity to object, is incapacitated or the situation is an emergency, the provider must determine whether the disclosure is in the patient’s best interest. Even so, the provider may disclose only PHI that is directly relevant to that person’s involvement with the patient. In any case, HIPAA does require that providers verify the identity of the person with whom they communicate before making a disclosure.

2. May I release prescriptions, medical supplies, X-rays, or other forms of protected health information to a relative or friend?

A provider may use professional judgement and its experience with common practice in making this decision. The requirement to verify the identity of an individual to whom the disclosure is made applies.

3. Who is a “personal representative?” How does a covered entity identify a personal representative for HIPAA purposes?

A personal representative is someone who is authorized by law to act on behalf of a patient and exercise his or her rights. Under HIPAA, a personal representative who is authorized by law to act on the patient’s behalf on matters related to health care can exercise the patient’s rights under HIPAA. Someone who has a patient’s power of attorney for anything other than health care will not be authorized to exercise a patient’s HIPAA rights.

4. What role does professional judgement play in determining whether I should share PHI with a friend, family member or personal representative?

A provider may always rely on his or her professional judgement in making determinations as to whether to disclose PHI, consistent with HIPAA and state law. In emergency situations, a provider may decide to share PHI without an authorization, or where a patient has requested a restriction on communication, if, in the provider’s judgment it is in the patient’s best interest to do so. As always, the reasonable safeguard and minimum necessary standards apply. On the other hand, if a physician or other provider reasonably believes that a patient has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating someone as a personal representative could potentially put the patient in danger, the provider may choose to not treat that person as a personal representative, to not disclose information, if in his or her professional judgement, doing so would not be in the best interests of the patient, as long as the provider’s determination is consistent with state law. This is true even if the patient is an unemancipated minor.

5. When may a provider share a minor’s PHI with a parent, without the minor’s consent?

HIPAA allows a parent access to medical records and personal health information when that access is not inconsistent with state law. When state law prohibits disclosure, HIPAA prohibits disclosure. If state law is silent on a parent’s right of access, HIPAA allows the provider to use his or her professional judgement in making the determination.

6. What shall I do if a patient’s friend or family member calls me for information?

A provider must first verify the identity of the person who is requesting information. As long as UMDNJ has not agreed to restrict communications with the caller, once the provider has verified identity, the provider may share information within the minimum necessary standard and as permitted by state law. If it is an emergency situation, the provider may exercise professional judgement in determining whether to disclose PHI and what to say.

7. Does HIPAA apply to the PHI of deceased patients?

Yes, HIPAA regulations extend privacy protections to the PHI of deceased patients. A covered entity must have proof of a representative’s legal capacity to act on behalf of the deceased individual.

E. Messages, Mailings, and Appointment Reminders

1. May I leave messages for patients at their homes, either on an answering machine or with a family member?

A request should be made to the patient for a phone number and address where messages may be left or mailed and whether messages may be left on an answering machine. If the patient has requested that the provider communicate with him in a confidential manner, the physician must accommodate a patient’s reasonable request. Even if a patient has permitted messages to be left on an answering machine, to safeguard the patient’s privacy, providers should limit messages.

2. May I mail appointment reminders to my patient’s home?

Reminders may be mailed to the address specified by the patient for such a purpose. A reasonable safeguard would include the use of closed envelopes instead of postcards.

3. Can I send materials to patients telling them about new treatments or services available for their condition or diagnosis?

Yes. HIPAA permits providers to send communications describing products and services that it provides to its patients. HIPAA does not consider this activity to be “marketing,” so the provider does not need to obtain an authorization from patients before doing this.

F. Billing Communications

1. Does HIPAA permit providers, billing agencies and collection agencies to speak with people other than the patient about a patient’s bill?

Yes, as long as providers, billing agencies and collection agencies limit the information disclosed to the minimum necessary, and as long as UMDNJ has not agreed to any restrictions on the information or to those particular persons. Generally, HIPAA permits covered entities including providers, or a business associate acting on behalf of a covered entity, to disclose PHI as necessary to obtain payment for health care, and does not limit to whom disclosure may be made. A Business Associate Agreement may be required.

2. Can I discuss my patient’s payment with members of their family?

Yes, as long as you limit the information disclosed to the minimum necessary, and as long as UMDNJ has not agreed to any restrictions on the information or to those members of their family.

3. Does HIPAA permit providers to share PHI with other providers for the purpose of obtaining payment, or helping the other provider to obtain payment, without the patient’s authorization?

Yes. HIPAA permits a health care provider to disclose PHI about at patient to another provider, without the patient’s authorization, for treatment, payment or health care operations.

Secure Messaging (E-Mailing) Implementation

Secure Email FAQ's

Confidential E-mail Messages Text

Instructions (.doc format) for adding Confidential Email Messages text to email:


Home My.UMDNJ Contact Us Community Services Virtual Tour UMDNJ Web Store Privacy Policy