What does the privacy rule require us to do to protect patient's confidentiality when faxing records?
HIPAA Weekly Advisor, November 15, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What does the privacy rule require us to do to protect patient's confidentiality when faxing records?
A: HIPAA's privacy rule has forced facilities to reevaluate how they conduct even the most routine tasks, such as faxing patient records.
We have decided to limit the use of fax to send PHI to emergencies. Our policy says staff cannot fax any health information except in emergencies. HIPAA does not require policies to be this strict.
Take the following steps to protect the confidentiality of patient records when faxing:
1. Verify the recipient of the fax.
Anyone who faxes information should get the fax and phone number of the facility and call back to verify that it's the right place and that somebody is standing at the fax machine waiting for the fax to come.
You can't be completely sure that the facility requesting that you fax over a patient's records is actually treating the patient. All you can do is call back and make sure it's the right facility.
2. Ask for patient authorization.
Consider requiring authorizations when faxing PHI even for treatment, payment, and health care operations, even though the privacy rule does not mandate them. We always ask for an authorization to release the information from the patient or a family member. We try to get the authorization before we send the record, but if it's life or death, we're obviously not going to keep that person from getting medical attention. We ask the hospital to get one and send it to us once the patient is stabilized.
3. Train staff.
The health information management department (HIM) should handle fax requests, but other departments receive calls all the time and often take care of the requests on their own. As part of HIPAA training, train nurses and staff in physician offices and clinics on policies and procedures for faxing patient information. In a perfect world, all requests for medical information should go to HIM, and they should handle them.
Editor's note: Answered by Holly Ballam, RHIA, corporate privacy officer and physician liaison for Beth Israel Deaconess Medical Center in Boston, and adapted from the November 2002 issue of Briefings on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched