Pages

Thursday, June 13, 2013

What, Exactly, Is HIPAA?

The term, "HIPAA" gets thrown around in relation to patient confidentiality, so I thought it might be useful to clarify exactly what HIPAA is.

My understanding of a HIPAA-covered entity, at least for private practice, has been that you're a HIPAA Covered Entity if you bill electronically. End of story. Here's a government chart to corroborate my opinion.

Specifically:












I don't bill electronically, therefore, I am not a HIPAA Covered Entity.

Now, if you do bill electronically, or work with a billing service, then you are a HIPAA Covered Entity. But again, you are restricted in terms of the billing, not other areas.

This is a link to a useful fact sheet from HHS. Some key points:

Health Insurance Portability and Accountability Act (HIPAA) does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes.

So you can share patient information with other health care providers without the patient's consent.

I think it's still a nice idea to get consent, anyway, but you are not in violation of HIPAA if you don't have it.

HIPAA does not cut off all communications between providers and the families and friends of patients

You can share needed information with family, friends, or caregivers, as long as the patient doesn't object. And if the patient is unable to indicate a preference, you can do what you think is best.

So let's get something straight once and for all. HIPAA is not a catchall term that describes all legal issues surrounding patient privacy and confidentiality. It's about billing electronically.

The next time you hear someone try to reassure you by saying he or she is restricted from revealing patient information because of HIPAA, Uh-Uh.

If you're a HIPAA covered-entity, you need to give your patients forms indicating how their information may be used. And you need to make a good faith effort to get them to sign a form acknowledging receipt of these forms. What you don't need to do is get the patient to consent to the release of information. And in fact, these forms are more about the ways in which the patient's information lacks privacy.

The sample Patient Privacy Notice from NYU Langone includes the following ways a patient's health information may be used, without consent:

Treatment
Payment
Business Operations
Appointment Reminders
Fundraising
Education
Business Associates
Electronic Communications
Research
Public Need

Doesn't sound all that private, to me.

There are non-HIPAA laws regarding patient privacy, doctor-patient privilege, and confidentiality, and these vary by state. I'll go into more detail in a future post.

But for now, PLEASE read Shrink Rap's post on KevinMD for a description of what can happen to privacy under the auspices of "HIPAA".