HIPAA FAQ | HIPAA Forms & Templates |
HIPAA Frequently Asked Questions
This FAQ is intended to help our physicians and practices navigate the complexity of HIPAA in every day practice. It is not intended as legal advice.
Can someone other than a patient (e.g., a wife for a husband, a parent for an adult child) make an appointment for the patient?
Is an authorization required to fill out a form for a patient so the patient can use it to participate in school programs?
The patient is a minor and the patient’s parent is asking us to fill out the form. Can the completed form be sent to the parent who requested it?
Do we need to obtain business associate agreements with pharmacies?
Do we need to obtain business associate agreements with janitorial services and copier services?
May we use postcards to send our patients their mammogram or pap smear reminders?
May we show a disease-specific educational video to a patient in our waiting room?
Some of our employees are also our patients. Do these employees waive their rights under the HIPAA Privacy Rule?
Can we fax patient medical information to another physician’s office?
Can we send a patient’s medical information in an email?
Does HIPAA change the way California physicians must respond to subpoenas, court and administrative orders and other discovery devices aimed at obtaining medical information or patient records?
Can someone other than a patient (e.g., a wife for a husband, a parent for an adult child) make an appointment for the patient?
Yes. HIPAA controls only the use or disclosure of protected health information by a covered healthcare provider.
When a covered healthcare provider accepts an appointment from a spouse or a parent of an adult child, it could be considered "use or disclosure" of protected health information because the provider accesses the other spouse's or adult child's information on file, and acknowledges that the spouse or adult child is a patient. Unless, however, the spouse or adult child has previously objected to the disclosure in writing or other stricter protections apply (e.g. psychiatric treatment), such limited "use" and "disclosure" may be made under HIPAA and California law.
When an appointment is being made, you should not “use or disclose” any information that is not necessary to make or change the appointment. In most cases, therefore, if the spouse or parent of an adult child asks a question about the patient's health status (e.g., diagnosis) or the purpose of an already existing appointment, such information should not be disclosed because it is not reasonably necessary to make or change an appointment. There are exceptions to this general rule and you should consult an attorney for assistance for such exceptions.
Is an authorization required to fill out a form for a patient so the patient can use it to participate in school programs?
HIPAA permits disclosures of protected health information to an individual who is the subject of the information. Therefore, filling out a form about an individual’s own protected health information and giving it back to the individual would fall within this category. If, however, a completed form is sent directly to a third party (e.g., a school), then a HIPAA compliant authorization is required.
The patient is a minor and the patient’s parent is asking us to fill out the form. Can the completed form be sent to the parent who requested it?
HIPAA generally does not require an authorization for a parent to use or disclose the protected health information of a minor child. However, California law permits minors who are 12 years old or older to receive certain healthcare services without parental consent (e.g., services for sexually transmitted diseases, pregnancy or outpatient mental health counseling). In these cases, any disclosure to parents would require the patient – i.e., the minor – to complete a HIPAA-compliant authorization. Additionally, in those limited instances, consider mailing the completed form in a sealed envelope addressed to the patient, rather than to the parent who requested it.
Do we need to obtain business associate agreements with pharmacies?
No. Under HIPAA, a provider may disclose Protected Health Information (PHI) to pharmacies for treatment purposes (e.g., to fill a prescription or to discuss the side effects of a drug).
Do we need to obtain business associate agreements with janitorial services and copier services?
No. Although the individuals performing these services may be exposed to PHI, these exposures are considered “incidental disclosures” and are permitted under the HIPAA privacy regulations, as modified in August 2002, so long as provider offices take necessary precautions to minimize such incidental exposures.
May we use postcards to send our patients their mammogram or pap smear reminders?
No. Under HIPAA, a postcard will expose PHI to third parties, which conflicts with reasonable safeguards for the privacy of patient information. Send these reminders in a sealed envelope.
May we show a disease-specific educational video to a patient in our waiting room?
Yes. No PHI is generally disclosed in showing a disease-specific video.
Some of our employees are also our patients. Do these employees waive their rights under the HIPAA Privacy Rule?
No. The HIPAA privacy regulations prohibit a waiver of rights. Employees who are also patients in the office where they are employed do not have to waive their rights. Your office must implement reasonable administrative, technical and physical safeguards and use the “minimum necessary” protocols to adhere to the HIPAA privacy regulations. “Incidental disclosures” that occur in the office are permitted under the HIPAA privacy regulations, as modified in August 2002.
Can we fax patient medical information to another physician’s office?
Yes, you may fax information provided you have implemented appropriate patient information safeguards. Reasonable measures include the following:
- Confirm the fax number with the other provider’s office.
- Program the fax number into the fax machine to minimize transposition of numbers.
- Confirm with the office or the fax log that the fax was properly sent.
- Place the fax machine in a secure location.
- Place a confidentiality notice on your fax coversheet.
Can we send a patient’s medical information in an email?
Yes, you may send patient information by email provided you have implemented appropriate patient information safeguards. In particular, you should either encrypt or password protect the email or any attachments containing PHI. If you use encryption software, the receiving provider must have the same software to de-crypt the encrypted email or attachment. Your office will need to provide the receiving office with a key to your encrypted email.
Does HIPAA change the way California physicians must respond to subpoenas, court and administrative orders and other discovery devices aimed at obtaining medical information or patient records?
You should continue to respond to these discovery devices the same way you have in the past. Generally, HIPAA does not preempt provisions of California law that are more restrictive than HIPAA. California law governing physicians' responses to court orders, administrative orders, subpoenas in a court or administrative proceeding and other discovery devices is comprehensive and detailed and is generally stricter than HIPAA, so the provisions of existing California law should apply and should be carefully followed. However, the relationship between HIPAA and California law is complicated, as are the provisions of California law itself. If you have questions about how to respond or act in a particular situation, you should talk with your attorney. Hill Physicians cannot and does not give legal advice or advice about particular factual situations.