Frequently Asked Questions (FAQs)
- Who/what is covered under HIPAA (covered entity)
- Protected Health Information (PHI)
- Business Associates
- Using Protected Health Information (PHI) for Education
- HIPAA in Patient Treatment
- Disclosure of Protected Health Information (PHI)
Who/what is covered under HIPAA (covered entity)
Q: Is health information in a student's education file
covered under HIPAA?
A: No. The contents of education records are covered by FERPA (Family Educational Right and Privacy Act). This includes health information that is used as part of the education file. However, if the student has a health record from student health services, it is covered under HIPAA.
Q: Is health information in an employee's human resources file
covered under HIPAA?
A: No. Information contained in personnel files are maintained under state law. For example, if the employee has had drug tests done at the request of the employer, these are not considered health records; they are considered part of the personnel file and are not covered under HIPAA.
Q: I work in a department that does not directly treat patients.
Does HIPAA apply to me?
A: Yes, in that the University is a covered entity under HIPAA. The extent to which HIPAA applies to your daily activities will vary depending on the function of your department. If your students or residents treat patients through affiliated hospitals and clinics, you need to ensure that they are educated on how HIPAA affects them. If you have any health information under your control that identifies a patient, it must be maintained according to HIPAA, even if it is not original health information, such as when used for education or research. If you do not have any type of patient information anywhere in your department and are not exposed to it in any way (e.g., animal research, statistical analysis), then HIPAA will probably not affect operations in your department.
Q: We refer our patients to various agencies in the city. How do I
know if another agency is covered by HIPAA?
A: If they are a healthcare provider that receives payment for services, and bills electronically for any portion of payment, they are a covered entity and will need to comply with all HIPAA regulations. If they don't meet the definition of a covered entity, they still need to know about HIPAA because they will probably be dealing with organizations like ours that are covered entities, which impacts how information passes between the two organizations.
Protected Health Information (PHI)
Q: What is Protected Health Information (PHI)?
A: PHI is information that identifies or can be used to identify a patient (individually identifiable information). PHI includes health information in any format - paper (written), electronic, or oral. PHI includes information about the patient's health status or condition and can include research information and photographs, videotapes, and other images.
Q: What is a Business Associate?
A: A person or entity who performs a function on behalf of the organization that involves the use or disclosure of PHI.
Q: What are some examples of Business Associates?
A: External auditors, lawyers, consultants, medical transcription companies, shredding companies, computer or software vendors who may access PHI.
Q: Are physicians Business Associates of the hospitals where they practice?
A: No. A health care provider is not a business associate of the organization for which he/she is providing treatment.
Q: Is a laboratory or pharmacy a business associate?
A: No. We can use or disclose PHI for treatment purposes.
Q: Where do I find a copy of a sample Business Associate agreement?
A: Sample language can be found on the web site at www.uthscsa.edu/hipaa/associates.asp. Make sure that you include any of the other unique provisions of the contract.
Using Protected Health Information (PHI) for Education
Q: Under HIPAA, am I allowed to use PHI in the classroom setting?
A: Yes. Education and training are included in HIPAA's definition of health care operations and is permitted. This means that the faculty may use PHI in lectures, case presentations, or in other classroom settings for educational purposes for students, residents, and other faculty within the university setting. A student or resident can also use PHI for educational purposes in the same type settings and for similar purposes.
Faculty, residents, or students cannot use PHI in external settings, such as conferences, seminars, and the like, unless specifically authorized to do so by the patient. The students or residents may not take PHI with them when leaving their affiliations with the university, unless specifically authorized to do so by the patient.
Q: Patient's photographs are vital as part of the education process. Can I use these
A: Yes, in the same manner as described above for PHI. Also, see "Disclosure of PHI" below.
Q: We use people from outside the University to pose as patients to assist in teaching
our students to do assessments. We get the individual's consent to participate in these sessions
and usually videotape them to use with future students. Are these individuals covered under HIPAA?
A: No, these individuals are not considered patients of the University. Even if the individual has real symptoms, in this capacity (which should be clearly explained on the consent form), they are not our patients, and HIPAA does not apply.
Q: Sometimes we allow outside vendors to be present at our case presentations or to observe
surgery so that they can become better educated about how we use their product to improve the product
for the benefit of the patient. Is this allowed under HIPAA?
A: When allowing anyone from outside the University who is not involved in the patient's care to attend any part of a case presentation on a patient, the identifying information must be removed to preserve the patient's privacy, or you must obtain specific, written patient authorization. The patient must consent to anyone outside the realm of treatment and education to observe his/her surgery, and the surgeon would need to work with the hospital to ensure their policies are followed as well.
Q: One of the practices we value in the student application process to our program is the applicant
"shadowing" a practicing professional in the community. Is this allowed under HIPAA?
A: Under certain circumstances, yes. First, is the student truly a University student, or is this something that is required as part of the application process?
If it is done through the University, the student would be functioning in a "trainee" capacity, included in the workforce under HIPAA. In other words, if I'm an HSC student shadowing a professional in Dr. Joe's office, I'm considered part of Dr. Joe's workforce in this capacity. Of course, I function under whatever rules that Dr. Joe says that I must, e.g., don't take any PHI with me, don't access PHI that I'm not entitled to in my job duties, etc.
Here is another example: I take my child to see a doctor (not an HSC doc), and a UT medical student accompanies the doctor into the exam room, introduces herself and asks my permission to observe the exam. The patient has the option of asking the student not to be there.
If the student is not yet an HSC student, Dr. Joe's office will definitely want to get him/her to sign a confidentiality acknowledgement and might want to get a specific patient authorization prior to allowing the student to observe patients.
HIPAA in Patient Treatment
Q: Can I send out appointment reminder cards to my patients? How about reminder phone calls?
A: Generally, these activities are allowed under HIPAA. However, care must be taken not to inadvertently place the patient's privacy at risk. The "Notice of Privacy Practices" tells the patient that we will use his/her information for appointment reminders; however, it is good policy to make sure that the patient understands how we will be handling this process. Appointment reminders that include the name of the clinic that might give away a diagnosis should not be used or should be made more generic. You should never leave health information, such as lab results or any other type of confidential information on a voice mail or answering machine.
Q: I treat patients in the emergency room, and it is very difficult to maintain patient privacy in that setting.
What do I need to know about privacy in emergency situations?
A: As always, the most important concern in an emergency situation is treating the patient in a timely and appropriate manner. Although it can be challenging due to the pace and set-up of the typical emergency room, some basic privacy rules should be followed, such as speaking in low voices whenever possible. In addition, see questions below about incidental disclosures.
Q: What is meant by "incidental disclosures"?
A: It is a secondary use or disclosure of PHI that cannot be reasonably prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure of protected health information (PHI), such as in the course of treatment.
Q: How do I handle discussing the patient's progress, test results, etc., with the patient when there are other people present?
A: You should always ask the patient (or parent in the case of a child) if he/she wants the other individuals to stay or leave before discussing the patient's care with them in the room. In any situation, including emergencies, when the patient is incapacitated, when possible, limit discussions to the patient's next of kin. Otherwise, use your professional judgment of what is in the best interest of the patient.
Q: I heard from someone that under HIPAA I will have to do away with patient sign-in logs in my clinic. Is this true?
A: No, not necessarily. HIPAA does not disallow sign-in logs, calling the patients' names out in the waiting room, patient names on hospital doors, patient schedules posted in treatment areas, etc. HIPAA also does not require re-configuring treatment areas where more than one patient is treated at a time, such as orthodontic offices, therapy gyms, or semi-private hospital rooms. Many disclosures in these situations will be considered incidental. Good professional judgment should be used in all situations to ensure reasonable privacy to patients. Certain types of treatment, such as psychiatry, fertility treatment, etc., require an extra measure of privacy.
Q: What if you are treating a patient and want another professional's advice? Can you say, "What would you do for (person's name) if they
had (whatever condition)?"? Can you have this discussion without the patient's consent or awareness that it is happening?
A: If you obtain the other professional's advice in the process of providing treatment to the patient, you do not need to obtain additional patient authorization. However, if you are getting advice from someone in a more informal setting, such as with someone not involved in the patient's care, you should not use the patient's name or any other patient identifier. The best way to assure patient privacy is to remove patient identifiers whenever you can when discussing a patient or using his/her information (such as in classroom presentations).
Disclosure of Protected Health Information
Q: My patient wants copies of his lab reports to take with him for his records. Under HIPAA, can I simply hand copies of these reports to the patient?
A: Yes. The patient has the right to see his/her health information, and as the clinician you can make the decision of whether or not access is appropriate. Your clinic staff may have a process for handling release of information, so you may want to check with them on how they generally want to handle this.
Q: How do we exchange information with entities that have PHI in their school records?
A: Generally, a patient/parent authorization is required to release records to these entities, or to request information from them. School records often contain health information, and frequently there must be exchange of information between schools and health care providers (e.g., pediatric clinics and school nurses). School records on students are covered under FERPA (described in first question), not HIPAA.
Q: Are pictures considered part of the patient's health record/PHI, and am I able to disclose them?
A: Yes, pictures of the patient are considered part of their health record. You are able to disclose them in the same manner as other types of PHI are disclosed. A patient's photograph that identifies him/her cannot be posted in public areas, such as hallways, without specific authorization from the patient. Likewise, a patient's photograph that identifies him/her cannot be used in any form of publication without the patient's specific authorization. If the patient is not identifiable from the image, it is not considered to be PHI.
Q: We are having a problem with some outside doctors' offices or other providers refusing to release PHI to us on our patients
who are treated by them; they say HIPAA is why they are not able to disclose this information to us. Aren't they allowed to release this information
to us under the treatment provision of HIPAA?
A: Yes. If the doctor referred the patient to another doctor, a diagnostic testing center, lab, home health, nursing home, etc., this is part of a treatment relationship, and we are allowed to share PHI for this purpose. We are also able to use and disclose information for payment and certain operations purposes.
For additional HIPAA assistance, access the Department of Health & Human Services/Office of Civil Rights FAQs, www.hhs.gov/ocr/hipaa/ and click on "Answers to your Frequently Asked Questions."