HIPAA Myths and Misconceptions

By Loretta Duncan, FACMPE
October, 2018

Trying to comply with HIPAA can be a challenge for healthcare providers, especially when there is so much confusion about specific aspects of the Rules. On almost a daily basis, policyholders contact SVMIC for assistance with HIPAA-related issues. In fielding those calls and emails, some commonalities have been identified. In an effort to clear up this confusion and bust some of these HIPAA “myths”, a few of the most commonly asked questions are provided below with answers backed by the Department of Health and Human Services (HHS), the entity responsible for enforcement of HIPAA Rules.

When a patient requests a copy of their medical record, may a practice release records that were received from another healthcare provider?

Yes. Excluding records with special protections by state or other federal law, such as psychotherapy notes and notes related to substance abuse treatment, practices are permitted to release other healthcare providers’ records. For example, a primary care practice receives a request from a patient for copies of all of their medical records. The PCP has records from the patient’s cardiologist and gastroenterologist included in their medical record. The PCP may release all of this information to the patient.

The following information is from the guidance provided by HHS on the topic of patient access to their protected health information:  

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity…Individuals have a right to access this PHI for as long as the information is maintained by a covered entity…regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Is it a requirement for the patient to sign an authorization or consent when releasing information to another healthcare provider for the purpose of treatment, payment or healthcare operations?

No. HIPAA does not require anything in writing from the patient when disclosing PHI for treatment, payment or healthcare operations. HIPAA does require that the patient’s identity be verified to ensure that the correct individual receives the information. This can be done in a number of ways such as verifying the patient’s date of birth, last four digits of their social security number and/or current mailing address. This process may be done over the phone, in person or electronically through secure email or the patient portal.

https://www.hhs.gov/hipaa/for-professionals/faq/271/does-a-physician-need-written-authorization-to-send-medical-records-to-a-specialist/index.html

Is using a sign-in sheet or calling a patient by their first and last name a HIPAA violation?

No. Using a sign-in sheet is not a HIPAA violation as long as the information on the sign-in sheet is kept to the minimum necessary. For example, a sign-in sheet with the patient’s name, appointment time and the physician being seen would meet the minimum necessary standard. Practices should avoid asking the patient to put their reason for visit or contact information on the sign-in sheet, since this information can be captured in another, more confidential manner. Keep in mind that certain specialties may choose not to have a sign-in sheet simply due to the sensitive nature of their practice.

Calling patients by their first and last name is sometimes necessary due to patients having the same first or last name or similar names. Again, this is not a HIPAA violation, but instead is a considered an incidental disclosure as long as reasonable safeguards are in place.

https://www.hhs.gov/hipaa/for-professionals/faq/199/may-health-care-providers-use-sign-in-sheets/index.html

May a practice communicate with individuals involved in the patient’s care or payment for their care?

Yes. Communicating with individuals involved in a patient’s care or payment for care is permitted under HIPAA if the patient agrees, or when given the opportunity, does not object.

The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. https://www.hhs.gov/hipaa/for-professionals/faq/488/does-hipaa-permit-a-doctor-to-discuss-a-patients-health-status-with-the-patients-family-and-friends/index.html

Is an authorization form required to disclose protected health information to another treating provider?

No. HIPAA permits healthcare providers to share information with other treating providers, without the patient’s written authorization, even in situations when the provider releasing the information did not refer the patient. Here is information from the HHS FAQ that addresses this type of disclosure.

The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. https://www.hhs.gov/hipaa/for-professionals/faq/271/does-a-physician-need-written-authorization-to-send-medical-records-to-a-specialist/index.html

Navigating HIPAA Privacy, Security and Breach Notification Rules can be difficult at times. HHS has provided a multitude of resources on their website at www.hhs.gov/HIPAA. SVMIC is also a good place to find answers to HIPAA-related questions. The Education Center on the SVMIC website has on demand self-studies, including HIPAA Training for the Medical Office, along with sample forms. For more information about HIPAA compliance or to ask a general HIPAA question, contact Loretta Duncan at LorettaD@svmic.com.


Loretta Duncan, FACMPE

About the Author

Loretta Duncan is a Senior Medical Practice Consultant with SVMIC’s Medical Practice Services department. She joined SVMIC in 2008 to assist Arkansas policyholders with the business side of medicine. Duncan has over 20 years’ experience in healthcare, and currently specializes in assisting policyholders with HIPAA compliance. She earned a bachelor’s degree in organizational management from Central Baptist College and a master’s degree in health law and policy from Samford University, Cumberland School of Law. She is also a board-certified Fellow in the American College of Medical Practice Executives.


The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.