|
|
HIPAA/LAW:
Legal Q/A
October 2002
"HHS Responds to Frequently Asked Questions"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
On October 2nd, the Department of Health and Human Services ("HHS")
posted responses to questions frequently asked about the HIPAA Privacy
Rule (the "Rule"). The FAQs provide additional guidance
about an individual's right to review his/her medical record, safeguards
required when disclosing protected health information ("PHI"),
incidental disclosures and the minimum necessary rule, and business
associate requirements. The following is a brief summary of several
of the more significant FAQs:
- PATIENTS' REVIEW OF THEIR MEDICAL RECORD. Who pays for
the cost of copying medical records that patients request as permitted
by the Rule?
Covered entities may impose reasonable fees for the cost of copying
and postage. Fees must be based upon the actual production costs
incurred by the entity, which would include the cost of labor,
supplies, and postage; with the exception that costs associated
with the search and retrieval of the requested information cannot
be recovered from the patient. The covered entity may charge a
fee for preparation of a summary or explanation of PHI, in those
cases where a patient has agreed to receive such a summary or
explanation in lieu of the actual records.
- SAFEGUARDS TO PROTECT PHI. Can covered entities transmit
PHI via fax?
As long as the disclosure is permitted under the Rule, it can
be made by fax or any other means. However, whatever the chosen
means, it is subject to the reasonable and appropriate administrative,
technical, and physical safeguards that covered entities are required
to implement under the Rule (i.e., security considerations). An
example of such safeguards would include requiring employees to
confirm the fax number of the recipient prior to sending the fax,
and making sure the fax machine is not accessible except to those
that are authorized to use it.
- INCIDENTAL DISCLOSURES & THE MINIMUM NECESSARY RULE.
Are patient sign-in sheets prohibited under the Rule? What about
calling the names of patients in a waiting room?
Just to dispel any remaining uncertainty about this, HHS is telling
us again that disclosures resulting from using sign-in sheets
and calling-out for patients in waiting rooms are considered the
incidental by-product of otherwise permissible disclosures related
to treatment, payment, and health care operations. Both practices
are permissible, but only to the extent that reasonable and appropriate
safeguards have been implemented to protect the privacy of PHI
and limit the disclosure to the minimum amount necessary. For
example, sign-in sheets should only require patients' names, not
social security numbers, reason for visit, symptoms, or any other
personal information which may be obtained privately. Similarly,
displaying the names of patients next to the door of their hospital
rooms and placing patient charts outside exam rooms are also permitted
under the Rule subject to the same requirements.
- BUSINESS ASSOCIATES. Will physicians be considered the
business associates of health plans or other payers? Are mail
delivery personnel, plumbers, electricians, and other technicians
and service providers the business associates of the covered entities
to whom they provide service? Does HIPAA require covered entities
to monitor business associate compliance with the Rule?
If the only relationship between a health plan and a provider
is one where the provider submits claims for payment, then the
provider is not a business associate of the health plan. Business
associate relationships arise where a function or service is performed
for or on behalf of a covered entity or where certain services
are provided to a covered entity; provided, that the service
or function involves the use or disclosure of PHI. That is generally
not the case with providers and payers.
Plumbers, electricians and other technicians do not require access
to PHI in order to perform their services. Therefore, they do
not meet the definition of a business associate. Although mail
delivery personnel may have access to PHI, they do not meet the
definition of a business associate because they merely act as
conduits to transport the information and no disclosure of PHI
is intended. In all of these cases, it is possible that individuals
performing these services may inadvertently see or have access
to PHI. However, as long as the covered entity used reasonable
and appropriate administrative, technical, and physical safeguards
to minimize the chances for such exposure, no violation of the
Rule will occur.
HHS again clarifies that although the Rule does not require covered
entities to monitor, audit or oversee business associates for
HIPAA compliance, it does require covered entities to enter into
written business associate agreements in order to protect the
privacy of patients' PHI. Furthermore, if a covered entity discovers
material violations by its business associate, it must then immediately
act to end the violation. If these attempts are unsuccessful,
the business associate contract must be terminated. In the event
that termination is not feasible, then the problem must be reported
to HHS, Office of Civil Rights, the agency charged with administration
and enforcement of the Rule. This area may well provide a fertile
source for plaintiffs' attorneys, who will argue that the covered
entity should have known of the business associate's violation,
and was negligent for failing to prevent it or take action sooner.
For the full text of the FAQs, see:
http://www.hipaadvisory.com/action/faqs/faqs1001.doc
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
 |
 |
