Home | About Us | 50 Years | Testimonials | Contact Us
  

Need Immediate Assistance?

Call (800) 635-4040 Fax: (865) 531-0722

info@drsmgmt.com

M-F: 8:00 AM - 5:30 PM EST

Search Site:
DM Team
DM Services
Locations
Brochures
DM Affiliates

Ask a Consultant

Press Room

Newsletter Sign Up

Shop Online

Member Center
DoctorsManagement
Quick Ref

  Home » DM Services » Medical Practice Management » OSHA/CLIA/HIPAA Services » HIPAA » Frequently Asked Questions (FAQ's)
  EMS   |   Coding / Billing / Reimbursement   |   Credentialing and Provider Enrollment   |   Human Resources   |   OSHA/CLIA/HIPAA Services   |   Customer Service   |   Managed Care   |   Provider Enrollment   |   Medical Marketing
OSHA Compliance   |   CLIA Compliance   |   HIPAA
About HIPAA-AS   |   HIPAA Support Services   |   Frequently Asked Questions (FAQ's)   |   2007 HIPAA Products & Services Schedule
Frequently Asked Questions
Q.    A parent brings a child who is a new patient into a dental practice and signs a Notice of Privacy Practices (NPP) form on the behalf of their child, and then, a few day later, comes in with another one of their children who is also a new patient . Does the parent need to sign a separate NPP form for that child as well?
 
A.   You can provided one NPP for all the children, so note that on the receipt form, and ask that the parent sign the receipt indicating that the NPP information applies to each child and has been received for each child in the family.  That receipt should be placed in the patient file.
 
Q.   May health care providers leave messages at patients’ homes or mail reminders to their homes?
 
A.   Yes!  However, covered entities should take care to limit the amount of information disclosed on the answering machine.
 
Q.   Is an authorization needed to send a medical record to another provider who is treating the patient?
 
A.   No!  The rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual.
        
Q.    Do patients have the "right" to change their medical records?
 
A.    Yes and no!  If the requested change is appropriate - meaning it does not change the statement of condition, treatment, or other relevant medical information in the patient record - then the change can be made.  E.g., the patient wants the address changed, or the ex-spouse's name removed from the file.  However, if you believe the file is accurate and complete, you should refuse the request.  E.g., the patient wants to remove some of the diagnosis from the file because it might cause the life insurance company to deny a life policy.
 
Q.    Does our practice have a specified period of time to respond to a patient's request for a patient "right"?
   
A.   Yes!  Under the HIPAA privacy rule, you must respond to the patient no later than 60 days after receipt of a request.  If you are unable to respond by that date, you can extend your response time by a maximum of 30 days.   You must provide the patient with an explanation for the extension of the date.
 
Q.    If a state law is more protective of HIV information than HIPAA, does it preempt HIPAA?
 
A.    Yes!  The HIPAA privacy rule is the "ground floor" for protecting individual privacy.  When the state law exceeds the HIPAA requirements, you should follow the state laws.
 
Q.    Can a patient prohibit practice staff members from seeing his/her medical records?
 
A.    Under the HIPAA privacy rule, a patient can request that restrictions be placed on the use and disclosure of the patient's medical files, including restrictions on the practice staff . (E.g., if the patient knows one of the practice staff personally and is concerned about confidentiality, restrictions may be requested and the practice may restrict the staff person from seeing the patient files.)  The practice is not required to honor the request if the patient's PHI is required for the staff person to do their job.  The practice should notify the patient that the staff is trained to protect the confidentiality of the patient files.
 
Q.    Does the HIPAA privacy rule give parents the right to see or amend the medical records of a child legally considered a young adult?
 
A.    Generally, no.  Once a child reaches the age of majority (typically 18 - 21 years of age), a parent is no longer entitled to see or amend the child's medical records.  If the parent continues to pay for the child's care, some information may be disclosed so the parent can obtain payment from the insurer.  The physician is allowed to exercise some professional judgment about when to disclose PHI to the parents without the young adult's authorization.  When in doubt, ask the young adult patient to sign a written authorization.
 
Q.    In the past, practices allowed family members to pick up reports, x-rays, and prescriptions for a patient.  Is this practice still allowed under the HIPAA Privacy rule?
 
A.    Yes.  Staff members may make a reasonable judgment call based on their experience and knowledge of the patient and if it is in the patient’s best interest to have someone else to act on their behalf.   When in doubt, the staff should take reasonable steps to verify the person’s identity (e.g., call the patient to confirm that the individual has the authority to act on their behalf).
 
Q.    Does the HIPAA Privacy rule require a practice to obtain a signed “Confidentiality Agreement” or signed Business Associates Agreement for all pharmaceutical reps?
        
 A.    No.  The Privacy rule requires the physician to adopt reasonable safeguards to protect the PHI and to guard against inadvertent disclosures.  The reasonable requirement does not mean that a physician must obtain signed agreements from representatives that might occasionally have incidental access to PHI.  Physicians should take reasonable measures (e.g., not allowing visitors to roam freely in the office, exam rooms, or records areas where PHI may be seen or overheard).
        
Q.    A patient asked me not to discuss her health with family members or others.  Am I obliged to agree to this?
 
A.    Yes.  Only the patient has the right to his/her medical information without patient authorization.   Under the Privacy rule, the patient has the right to request “restrictions” on disclosures of their medical information.  Under HIPAA, however, you are allowed to disclose PHI without patient authorization for purposes of treatment, payment, and medical operations.
 
Q.    One of my patients would like me to amend the information in her medical record.  Is this permitted under HIPAA?
        
 A.     Yes.  Under the HIPAA Privacy rule, the patient has the right to request an amendment to their record.  However, if appropriate, the doctor has the right to reject inappropriate requests for amendments such as changing a diagnosis.
 
Q.     Is it true that the information covered by the Security rule will be different from that covered in the Privacy rule?
        
A.     Yes.  The Privacy rule covers PHI – that is, any information that may identify a person, their health status, and the healthcare received.  The Security rule covers only PHI in electronic form.
        
Q.     My practice isn’t considered a covered entity under the Privacy rule because we’re paper-only.  Are we also exempt from the Security rule?
        
 A.     Yes.  Only practices that transmit PHI in electronic form are considered covered entities under the HIPAA regulations.  If you truly are paper-only, that means that you do not submit even one claim electronically or get paid electronically, and you are not a covered entity under the Security rule.
 
Q.     Will my software/hardware vendor be able to make my practice compliant with the Security rule?
        
A.     Not likely.  It is true that your software vendor may be able to provide some of the capabilities under the “Technical Safeguards,” however; you will need to address the requirements under “Administrative and Physical Safeguards.”
        
        
Q. My State law says I may provide information regarding an injured workers' previous condition, which is not directly related to the claim for compensation, to an employer or insurer if I obtain the workers' written release. Am I permitted to make this disclosure under the HIPAA Privacy Rule?

A. A covered entity may disclose protected health information where the individual’s written authorization has been obtained, consistent with the Privacy Rule’s requirements at 45 CFR 164.508. Thus, a covered entity would be permitted to make the above disclosure if the individual signed such an authorization.

Q. My State law says I may disclose records, relating to the treatment I provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system. Am I allowed to share this information under the HIPAA Privacy Rule?

A. Yes. A covered entity is permitted to disclose an individual’s protected health information as necessary to comply with and to the full extent authorized by workers’ compensation law. See 45 CFR 164.512(l).

Q. Is a physician required to give her notice to every patient or can she just post the notice in her waiting room and give a copy to those patients who ask for it?

A. The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy. See 45 CFR 164.520(c) for other notice provision requirements.


Q. Are health care providers required by the HIPAA Privacy Rule to post their entire notice at their facility or may they post just a brief description of the notice?

A. Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. The Privacy Rule, however, does not prescribe any specific format for the posted notice, just that it include the same information that is distributed directly to the individual. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.
 
 
 

2007 DoctorsManagement, LLC. All Rights Reserved. Knoxville, TN USA

Disclosure | Make us your Homepage | Site Map | Send to a Friend | Bookmark Us | Website Feedback