The 9 most common HIPAA myths busted
HIPAA MYTH 1: HIPAA covers all health information.
This is not true. Let’s first clarify when and to whom HIPAA applies.
Entities covered by HIPAA are:
Health care providers ( doctors, clinics, hospitals, pharmacies).
Health plans (insurance companies, government programs such as Medicare)
Health care clearinghouses (billing services and community health systems for organizing health data)
HIPAA covers only health information that is received, stored, maintained, or transmitted by an entity covered by HIPAA.
Any such information collected by other health apps, fitness trackers, and other such devices is not covered by HIPAA. The only exception is if such a device has been provided to you by your doctor or healthcare provider.
HIPAA MYTH #2: Having medical records on good old paper relieves us of the obligation to comply with HIPAA privacy regulations. HIPAA applies only to electronically stored and electronically transmitted data.
FACT: HIPAA covers all health information that can be handled, stored, transmitted, breached. Regardless of their nature! It is important to make sure that all medical records are handled properly and shared appropriately with the data owner, whether they are shared electronically or copied and faxed.
This means that the existence of paper records does not relieve you of your obligation to comply with HIPAA privacy regulations. Moreover, in this age of digitization, almost all practice records are now captured and stored electronically. So riding around on paper files won’t help your business grow, nor will it relieve you of HIPAA compliance obligations.
HIPAA MYTH #3: Healthcare providers may research and reveal the patients’ health information with other employees.
FACT: Under HIPAA, healthcare providers are not allowed to disclose personal health information to employers without the patient’s consent.
Healthcare providers may only disclose a patient’s protected health information (PHI) to other employees who need the information to provide treatment, payment, or healthcare operations. This is known as the “minimum necessary” standard.
Consider this example: a doctor may share a patient’s PHI with a nurse who is providing care to the patient, or a billing department may need access to PHI to process insurance claims. However, healthcare providers should still take appropriate steps to protect the confidentiality of PHI, such as limiting access to PHI to only those employees who need it for their job duties and implementing physical, technical, and administrative safeguards to protect PHI. However, data is collected as part of staff surveys, is considered separately collected data and is not covered under HIPAA.
HIPAA MYTH #4: Sharing patient information with family members is prohibited under HIPAA.
FACT: HIPAA does not prohibit sharing patient information with family members. Information can be shared with friends and family members if the patient is present and does not object. Also, if the provider considers sharing the information is in the best interest of the patient, they may disclose information. Otherwise, if the patient clearly refuses the information to be shared with his family or with any specific person, then his wishes must be respected!
Without the patient’s presence, information can only be shared with the patient’s family if he/she is incapacitated and healthcare professionals have judged that the patient would not object to sharing their information with family, friends, or close relatives. Family members may obtain a copy of the patient’s health record only with written consent from the patient, as you can see in 45 CFR 164.524(c)(3)(ii).
HIPAA MYTH #5: A patient has the right to a copy of all their health information records.
First of all, let’s define the term “medical or health information record”. Medical record means any collection or grouping of information related to a patient’s health that is collected, used, maintained, or disseminated by or for a covered health care entity.
FACT: It is true that at the patient’s request, health organizations are obliged to provide a copy of their health information record. But there is information that may not be given if it is believed that the disclosure of such information may harm the patient.
The two categories that are excluded from the right of access:
Psychotherapy notes, personal notes of the mental health care provider, kept separate from other medical records. These are notes used to analyze and document the entire content of the patient session.
Any information required for use in civil, criminal or administrative proceedings.
HIPAA MYTH #6: Physicians may not send patient information to other health care providers
FACT: The HIPAA Privacy Rule allows medical records to be sent to other doctors without the patient’s consent. This does not only apply when someone is in the position of outgoing Doctor. Physicians have the right to disclose patient information without their consent for purposes of treatment, payment, and health care operations too.
HIPAA MYTH #7: HIPAA does not apply to text messages, only email
FACT: Not true. Text messages, like email, are considered forms of electronic communication under HIPAA and must comply with the HIPAA Privacy Rules.
If your healthcare organization sends text messages that contain unencrypted private health information, then it must:
To warn patients about the risks of using unencrypted text messages for health purposes
To obtain consent from patients to communicate through unencrypted messages
To document patient consent and organizational compliance
HIPAA MYTH #8: It is forbidden to call you by name in the waiting room
This is one of the most common falsehoods circulating on internet forums. There is no HIPAA violation if a patient is called by name in a waiting room because no health information is given. But there is a violation if, in parallel with that, his health condition or the intervention that the patient should do is also stated.
HIPAA MYTH #9: You as a patient can sue a healthcare provider for violating HIPAA.
It is logical to think that breaking the law will result in a lawsuit. But let’s look further, why this is a complete lie.
FACT: You as a patient cannot sue health care providers, even if HIPAA rules are violated. But in that case, you have the right to a written complaint. After a complaint is filed, the Secretary of Health and Human Services investigates the complaint (if there are provided reasonable grounds for doing so), and may do so at his/her discretion.
If there is a violation, the best-case scenario is monetary and civil penalties for the HIPAA violator.
HIPAA Myths Revealed
In conclusion, understanding HIPAA regulations is crucial for protecting patient privacy and data security in the healthcare industry. By revealing and explaining these 9 common HIPAA myths, we hope to have provided clarity and guidance on what is and isn’t allowed under HIPAA. Remember to always seek professional advice from experts, such as our data privacy compliance service, and take appropriate steps to safeguard protected health information. By working together, we can ensure that HIPAA regulations are followed, and patient privacy is protected.