Home

  • Home
    • » e-Newsletters

Recognize common HIPAA myths and misconceptions

HIPAA Training Advisor, February 21, 2008

Working proactively to maintain HIPAA compliance and patient privacy is essential. However, some of your efforts to comply may be unnecessary and may even hinder your ability to provide quality care. Ensure that your organization functions efficiently and complies with HIPAA by recognizing these common myths and misconceptions.

  • Myth: Without authorization, you may not share patient information with another treatment provider.

    There is no provision in HIPAA that requires you to obtain patient authorization before you share information with another provider.

    "I'm still seeing many organizations require the patient's signed authorization before they will release information to another treatment provider, and that is simply not required," says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. "I can't even tell you how many times I've seen the flow of information held up because provider number one is requiring a written authorization from provider number two and they won't send the information until they get it."

    A provision in the privacy rule allows patients to request restrictions with respect to what information you can share with another provider, and you should strive to honor such requests to the best of your ability, says Mary Thomason, MSA, RHIA, CHPS, CISSP, senior compliance consultant for Intermountain Healthcare in Salt Lake City. However, waiting for authorization is unnecessary if a patient hasn't requested any restrictions. "It just holds up care," says Thomason. "[The Office of Civil Rights] understands that you need to be able to freely share for treatment reasons."

    Note: Although HIPAA doesn't require authorization before disclosing information, make sure your disclosure does not violate any state or federal laws, such as the Federal Drug and Alcohol Confidentiality Law (42 CFR Part 2).

  • Myth: If a patient can't indicate a preference, you must automatically opt him or her out of the patient directory.

    When patients arrive at your facility, determine whether they want to be listed in the patient directory. However, don't automatically assume that patients who arrive in a condition that renders them unable to make this decision want to opt out. Doing so may actually cause problems.

    When volunteers at a new Intermountain Healthcare facility didn't know whether patients had opted in or out, they assumed an opt-out policy for privacy reasons, says Thomason. Consequently, situations arose when family members dropped a patient off, left briefly to park a car, and upon returning to the facility, were told the patient was not in the facility if he or she had not yet indicated a directory preference.

    Consider designating a patient's directory preference as "not chosen" in these circumstances. However, instructions to give information only to family members and no one else-especially the media-should be inherent in this status, says Thomason. "We need the family there to make decisions," she says. "When we can [determine the patient's preference] for sure, we'll change it." However, Thomason recommends an automatic opt-out policy only with respect to patients admitted to a psychiatric unit.

  • Myth: Calling patients in a waiting room by their full names isn't permissible.

    The privacy rule doesn't forbid use of a patient's full name in this situation. Trying alternative methods to identify patients, such as using first names only, may cause confusion if multiple patients in the waiting room share that name, says Thomason.

Most Popular