Popovits & Robinson - Client Advisories

On December 3, 2002, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services issued guidance on the Standards for Privacy of Individually Identifiable Health Information to explain and answer questions about key elements of the requirements. Much, although not all, of the information contained in the guidance had been previously released by OCR. Set forth below are some of the most significant clarifications contained in the guidance. For a lengthier summary, please visit our web site at popovitslaw.com.

Incidental Uses and Disclosures

Health care providers may engage in confidential conversations with other providers or with patients even if there is a possibility that they could be overheard so long as the covered entity has implemented reasonable safeguards, such as lowered voices or talking apart from others when sharing PHI (p. 14).
The Privacy Rule does not require structural changes to avoid a possibility that a conversation may be overheard. (p.15-16)
Covered entities may use patient sign-in sheets or call out patient names in waiting rooms so long as the information disclosed is appropriately limited (a sign-in sheet may not display the patient's medical problem) (p.17)
Covered entities do not need to document incidental disclosures in an accounting of disclosures provided to an individual (p.20)

Minimum Necessary

Disclosures for treatment purposes between health care providers are explicitly exempted from the minimum necessary requirements but uses of PHI for treatment purposes are not (p.24)
Minimum necessary requirements do not prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training (p.25)
Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements (p.25)
A minimum necessary determination is not necessary to disclose to Federal or State agencies, such the Social Security Administration, for individuals' applications for benefits and may be made pursuant to the agency's authorization form as long as the form meets the requirements of the Privacy Rule (p.25)
The use, disclosure, or request of an entire medical record, including portions created by another provider, is not prohibited and may be done so without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. (p.26)
Facility redesign is not necessary to meet the reasonableness standard for minimum necessary uses, however certain adjustment may need to be made such as isolating and locking file cabinets or records rooms, providing additional security such as passwords on computers maintaining personal information (p.27)

Business Associates

Business associates must agree to fulfill an individual's rights to access and amend his or her PHI contained in a designated record set for information held by a business associate and must provide an accounting of any disclosures
A covered entity is not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associates abide by the privacy requirements of the contract nor is the covered entity responsible or liable for the actions of business associates, however, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate (p.46)
Accreditation organizations are business associates of a covered entity and as such, must enter into a written business associate agreement or data use agreement with the covered entity to share PHI (p.46)
A business associate agreement is not required with persons or organizations whose functions, activities or services do not involve the use or disclosure of PHI and where any access to PHI by such persons would be incidental, if at all, such as janitorial services (p.48)
If a service is hired to do work where disclosure of PHI is not limited in nature, such as routine handling of records or shredding of documents containing PHI, it likely will be a business associate of the covered entity unless the work is performed under the direct control of the covered entity (e.g., on the covered entity's premises) or the Privacy Rule permits the covered entity to treat the service as part of its workforce (p.48)
Covered entities are not required to enter into business associate agreements with the U.S. Postal Service, United Parcel Service or private couriers that act merely as conduits for PHI (p.49)
Generally, providers are not business associates of payers (if the relationship is one where the provider submits claims for payment). However, if the provider is performing another function on behalf of, or providing services to, the health plan (e.g., case management services) that meets the definition of "business associate," a business associate relationship could arise (p.52)
A software vendor is not a business associate if it does not have access to PHI merely because it sells or provides software. If the vendor needs access to PHI to provide its services, it would be a business associate (p.53)
If an employee of a software information technology vendor has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity's workforce rather than a business associate (p.53)

Miscellaneous

A covered entity may impose reasonable, cost-based fees for copies of requested medical records as well as charge a fee for preparation of a summary of PHI if the patient has agreed to such a summary (p.118)
Providers may fax PHI to another provider so long as reasonable and appropriate administrative, technical, and physical safeguards are in place to protect the privacy of PHI (e.g., confirm the fax number to be used is in fact the correct number; place fax machine in a secure location to prevent unauthorized access) (p. 119)
The Privacy Rule does not require covered entities to provide patients with access to oral information nor are covered entities required to document oral information (p. 122-123)
A power of attorney that does not include decisions related to health care in its scope does not authorize the holder to exercise the patient's rights under the Privacy Rule (p.35)
The determination of who is authorized to act as a patient's personal representative is based on State or other law, not the Privacy Rule. However, the Privacy Rule does require covered entities to verify a personal representative's authority (p.36)
The Privacy Rule does not address consent to treatment and does not preempt or change State or other laws that address consent to treatment


OCR ISSUES HIPAA GUIDANCE
On December 3, 2002, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services issued guidance on the Standards for Privacy of Individually Identifiable Health Information to explain and answer questions about key elements of the requirements. Much, although not all, of the information contained in the guidance had been previously released by OCR. Set forth below are some of the most significant clarifications contained in the guidance. For a lengthier summary, please visit our web site at popovitslaw.com. Incidental Uses and Disclosures Health care providers may engage in confidential conversations with other providers or with patients even if there is a possibility that they could be overheard so long as the covered entity has implemented reasonable safeguards, such as lowered voices or talking apart from others when sharing PHI (p. 14). The Privacy Rule does not require structural changes to avoid a possibility that a conversation may be overheard. (p.15-16) Covered entities may use patient sign-in sheets or call out patient names in waiting rooms so long as the information disclosed is appropriately limited (a sign-in sheet may not display the patient's medical problem) (p.17) Covered entities do not need to document incidental disclosures in an accounting of disclosures provided to an individual (p.20) Minimum Necessary Disclosures for treatment purposes between health care providers are explicitly exempted from the minimum necessary requirements but uses of PHI for treatment purposes are not (p.24) Minimum necessary requirements do not prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training (p.25) Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements (p.25) A minimum necessary determination is not necessary to disclose to Federal or State agencies, such the Social Security Administration, for individuals' applications for benefits and may be made pursuant to the agency's authorization form as long as the form meets the requirements of the Privacy Rule (p.25) The use, disclosure, or request of an entire medical record, including portions created by another provider, is not prohibited and may be done so without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. (p.26) Facility redesign is not necessary to meet the reasonableness standard for minimum necessary uses, however certain adjustment may need to be made such as isolating and locking file cabinets or records rooms, providing additional security such as passwords on computers maintaining personal information (p.27) Business Associates Business associates must agree to fulfill an individual's rights to access and amend his or her PHI contained in a designated record set for information held by a business associate and must provide an accounting of any disclosures A covered entity is not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associates abide by the privacy requirements of the contract nor is the covered entity responsible or liable for the actions of business associates, however, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate (p.46) Accreditation organizations are business associates of a covered entity and as such, must enter into a written business associate agreement or data use agreement with the covered entity to share PHI (p.46) A business associate agreement is not required with persons or organizations whose functions, activities or services do not involve the use or disclosure of PHI and where any access to PHI by such persons would be incidental, if at all, such as janitorial services (p.48) If a service is hired to do work where disclosure of PHI is not limited in nature, such as routine handling of records or shredding of documents containing PHI, it likely will be a business associate of the covered entity unless the work is performed under the direct control of the covered entity (e.g., on the covered entity's premises) or the Privacy Rule permits the covered entity to treat the service as part of its workforce (p.48) Covered entities are not required to enter into business associate agreements with the U.S. Postal Service, United Parcel Service or private couriers that act merely as conduits for PHI (p.49) Generally, providers are not business associates of payers (if the relationship is one where the provider submits claims for payment). However, if the provider is performing another function on behalf of, or providing services to, the health plan (e.g., case management services) that meets the definition of "business associate," a business associate relationship could arise (p.52) A software vendor is not a business associate if it does not have access to PHI merely because it sells or provides software. If the vendor needs access to PHI to provide its services, it would be a business associate (p.53) If an employee of a software information technology vendor has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity's workforce rather than a business associate (p.53) Miscellaneous A covered entity may impose reasonable, cost-based fees for copies of requested medical records as well as charge a fee for preparation of a summary of PHI if the patient has agreed to such a summary (p.118) Providers may fax PHI to another provider so long as reasonable and appropriate administrative, technical, and physical safeguards are in place to protect the privacy of PHI (e.g., confirm the fax number to be used is in fact the correct number; place fax machine in a secure location to prevent unauthorized access) (p. 119) The Privacy Rule does not require covered entities to provide patients with access to oral information nor are covered entities required to document oral information (p. 122-123) A power of attorney that does not include decisions related to health care in its scope does not authorize the holder to exercise the patient's rights under the Privacy Rule (p.35) The determination of who is authorized to act as a patient's personal representative is based on State or other law, not the Privacy Rule. However, the Privacy Rule does require covered entities to verify a personal representative's authority (p.36) The Privacy Rule does not address consent to treatment and does not preempt or change State or other laws that address consent to treatment
Practice Areas \| Attorney Directory \| Client List \| Client Advisories \| Articles/Seminars \| HIPAA Advisories \| Links \| HIPAA Materials \| Contact Us \| Disclaimer