8 HIPAA Myths, Explained and Debunked
We’ve recently revealed, with huge fanfares, that Qminder has officially became HIPAA-compliant. We’ve tried our best to explain how important this piece of news is, but there are still a lot of information gaps we haven’t covered.
So today, we present you with the first installment of Mythbusters: the HIPAA edition! Unlike Adam Savage and Jamie Hyneman, we’re not going to blow up anything.
(Not yet, anyway.)
Instead, we’re doing it old-school style: explain the most prominent HIPAA myths and then debunk them by using facts and following the letter of the law. Sounds exciting, right?
Let’s jump right in.
Myth #1: HIPAA Does Not Apply to Our Specific Healthcare Provider
HIPAA-Schmipaa, who cares! It’s just another pointless set of regulations that doesn’t concern our healthcare facility. It’s a waste of money, is what it is.
FACT: HIPAA applies to any and all healthcare providers who transmit, store or handle protected health information.
HIPAA regulations apply to healthcare facilities of all sizes and purposes. Protected health information (PHI) — which includes a patient’s name, social security number, address, etc. — is a subject to the HIPAA privacy rule. As long as you handle PHI, you need to comply with HIPAA.
This also means any of your subcontractors who can also access your patient data. Any entity this data goes through — for example, a cloud database provider — needs to be HIPAA-compliant as well.
Otherwise, in case of a breach into a non-HIPAA-compliant database, expect to lose patients — and that’s to say nothing about litigation costs.
Myth #2: HIPAA Privacy Rule Applies Only to Electronic Records
As long as medical records are on good old paper, there is no need to comply with HIPAA privacy regulations that apply to electronically stored and transmitted electronic.
FACT: HIPAA covers all patient records, regardless of their nature.
Paper sign-in records and medical records do not make your healthcare facility exempt from adhering to the HIPAA Privacy Rule. HIPAA privacy requirements cover not only electronic health information.
As long as the information can be stored, handled, transmitted, breached or stolen, it needs to be protected by HIPAA. So even if you only have paper patient records, you must be compliant with the HIPAA Privacy Rule.
Also, it’s the 21st century. Paper medical records are so last millenium.
Myth #3: HIPAA Prohibits Email Correspondence Between Doctors and Patients
Emails get a lot of flak for being easy to breach and steal. Naturally, this means HIPAA doesn’t allow healthcare providers to use them when corresponding with a patient, right?
FACT: The HIPAA Privacy Rule allows providers to use many different means of communication, up to and including emails.
Of course, HIPAA expects healthcare providers to use appropriate safeguards, such as encryption, to communicate with patients. Confidentiality of patient health data must be secured, especially when transmitted electronically.
In other words, emails are a reasonable way of communicating with patients as long as adequate safeguards are in place.
Myth #4: Healthcare Providers Can Share Health Information With Employers
Employers must have the ability to research health information about their current or potential employees. It’s on the same level as information about their labor experience, education, skills, driving licence, etc.
FACT: HIPAA prohibits healthcare providers from disclosing personal health information to employers without patient’s consent.
In most cases, employers are not allowed to access a patient’s medical records. This is not dependent on whether they are paying for their care or on their insurance plan.
The employer may obtain access to your medical records but only if you give your explicit, written permission. However, HIPAA does not cover healthcare information collected separately — for example, through HR surveys.
Myth #5: Patients Can Sue Healthcare Providers for Violating HIPAA
Power to the people! Your break the law, and you get sued. It’s common sense. Common folks need to have the ability to sue healthcare providers for not complying with HIPAA regulations, right?
FACT: Even in case of a violation of the HIPAA Privacy Rule, patients cannot sure healthcare providers.
It’s all about steady justice. If a healthcare provider fails to comply with HIPAA privacy regulations, you must file a written complaint. If there are reasonable grounds to investigate the complaint, the Secretary of Health and Human Services may do so at its own discretion.
Best case scenario, there may be some civil penalties and criminal sanctions imposed on said healthcare provider. But you as a patient don’t have as much say at you might’ve hoped.
Myth #6: A Doctor Cannot Send Medical Records to Another Doctor
As the source and the supposed owner of your medical records, it should go without saying that this information cannot be transferred to another
FACT: A doctor can send medical records to another doctor without your explicit consent.
As long as the goal of sharing the protected information is in the patient’s best interests, no consent is necessary.
The Privacy Rule of HIPAA states that healthcare providers are allowed to disclose protected health information to other provides for the purposes of treatment, payment, or healthcare operations with or without patient’s permission.
And while we’re on this subject, a healthcare provider may also disclose medical information to a family member, relatives, or any person identified by the patient. The medical information, however, needs to be directly relevant to this person’s involvement with the patient’s care or payment.
Myth #7: Hospitals Are Required to Give You Your Records
Since it’s your healthcare information, it only makes sense that you should have unlimited access to it, right? You should be able to obtain it as you please, no questions asked.
FACT: It’s a bit more complicated than that.
You absolutely have the right to request medical records, but this doesn’t guarantee you getting all, if any, of your records.
Some records may be deemed too harmful for you — for example, mental health records — and as such, you may be denied the access to them. Then again, there needs to be a reasonable assumption that exposing you to this information may prompt you to harm yourself.
Otherwise, as long as you follow all of the required steps, you’re more than likely to get copies of your medical records. And if you don’t, healthcare providers are obligated to notify you in writing.
Myth #8: HIPAA Prohibits Calling out Patients’ Names
Is there more personal information than an individual’s name? Surely, HIPAA must discourage healthcare providers from calling their patients using their own names.
FACT: The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure
The disclosure of a patient’s identity to other patients in a waiting room is treated as one example of such incidental occurrences. Naturally, there still need to be reasonable safeguards to protect confidentiality and the purposes of such disclosure need to be strictly related to treatment.
Certain types of treatment — such as psychiatry, fertility treatment, etc. — require additional focus on protection of confidentiality. This still, however, doesn’t mean that HIPAA requires changing treatment or waiting areas to accommodate these regulations.
You can also debunk this myth with the fact that Qminder has been HIPAA-certified, despite the use of visitor names being the central focus of its technology. Displaying names, especially when it’s limited to first names and/or initials, does not breach the Privacy Rule — nor, for that matter, do sign-in logs, patient names on hospital doors, or publicly available treatment schedules.
All of these cases are well within the application of HIPAA privacy regulations.
Hope this very special issue of Healthcare Mythbusters proved interesting to you. Tune in for more debunkings (debunkments?) and demystifications!