1. Does SBELIH have anything formal that we are adding to our faxes to be compliant with HIPAA?
A: Yes, SBELIH has created a faxing policy that:
- Emphasizes the minimum necessary rule (for questions look under the definitions portion of the HIPAA web resource),
- Outlines required components of a fax cover sheet which includes a confidentiality notice,
- Reminds the sender to ensure the fax is being sent to the correct fax number and that the intended recipient is aware the fax is coming, and
- Discusses the importance of avoiding faxing sensitive information (i.e. HIV, mental health, developmental disability, alcohol or drug abuse, sexually transmitted disease, pregnancy results, and genetic screening).
- Refer to Administrative Policy EIM0041
2. I have heard that HIPAA requires us to take patient name plates off of the walls and discontinue the use of tracking boards/whiteboards. How are we supposed to know where patients are located?
A: On December 4, 2002 the Office for Civil Rights (OCR) issued guidance regarding "incidental uses and disclosures." Incidental uses and disclosures are defined as: a use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. The identification of the patient on tracking boards/white boards and name plates is necessary for the safety of the patient. OCR sites the following as a permissible incidental use or disclosure: a Hospital visitor may glimpse a patient's information on a sign-in sheet or nursing station tacking board/whiteboard.
Reasonable safeguards include:
- Speaking quietly when discussing a patient's condition with family members in a waiting room, or other public area;
- By avoiding using patients' names in public hallways and elevators,
- By isolating or locking file cabinets or records rooms; or
- By providing additional security, such as passwords on computers containing PHI.
Minimum Necessary: SBELIH should employ reasonable limits on how much PHI is used, disclosed, and requested for certain purposes.
3. If a patient believes their privacy rights have been violated where can they file a complaint?
A: Patients can be instructed to contact the SBELIH Privacy Office at (631) 477-5136 or Tara.Kraemer2@stonybrookmedicine.edu or the patient may file their complaint directly with the Office of Civil Rights at (800) 368-1019 or OCRMail@hhs.gov.
4. May physician offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
A: Yes. Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).
5. What does the privacy rule say about semi-private rooms? With two patients in a room, there is no way to guarantee that one won't overhear health information about the other.
A: The Privacy Rule does not require structural changes to semi-private rooms. SBELIH must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. Pulling the privacy curtain, speaking in a lower tone directly to the patient and standing on the side of the bed farthest from the other patient in the room are all appropriate safeguards.
6. Who may access patient health information in the EMR?
A: Only those who require access for SBELIH business reasons and who have been authorized to receive it.
7. Who is responsible for maintaining patient privacy?
A: The SBELIH workforce members.
8. Can I discuss patients with my family members if they don't work at SBELIH and promise to keep it a secret?
A: No.
9. Am I permitted to look at my sick family member's medical record to see if they are ok?
A: No. You are not permitted to look at your family member's record. This includes a parent accessing their children's medical record as well. SBELIH provides a patient portal for access to health information. Your family member can add you on their patient portal should they wish for you to be able to review their records.
10. Am I permitted to look at my own medical record electronically?
A: It is not a HIPAA violation to view your own medical record; however, you are not permitted to access your record via the SBELIH EMR which is to be used for business purposes only. SBELIH provides a patient portal for you to access your health information or you may request your record from HIM.
11. Does the HIPAA Privacy Rule allow a SBBELIH employee to discuss a patient's health status, treatment or payment arrangements with the patient's family/friends?
A: Yes. The HIPAA Privacy Rule specifically permits the employees of a Covered Entity to share information that is directly relevant to the involvement of a family member or friend, identified by the patient, in the patient's care or payment for services provided. If the patient is present or available and has the capacity to make health care decisions, the patient is to be asked if they have any objection to sharing information with the family member or friend prior to the disclosure. Otherwise, providers use their professional judgement.