Frequently Asked Questions
- Notice of privacy practices/acknowledgement
- Mental Health Notice
- Computer Audit Trails
- Employee Access to PHI
- Destruction of Confidential Materials
- E-mail/voice mail/faxes
- Employee health, employee assistance
- Institutional/personal liability
- Medical record information
- Privacy in open/accessible areas
- Release of patient information
- Disclosure tracking
Question: Is HIPAA education a part of new employee orientation?
Question: Does the on-line system developed to record distribution and acknowledgment of Notice of Privacy Practices also flag specific patient requests, such as directory restrictions, confidential communication path, etc.?
Answer: The new fields developed in the registration system tracks Notice of Privacy Practices given/acknowledgment received. Tracking system for specific requests or restrictions is mandated in Health Information Management (HIM).
Question: How many times do we have to give a patient a copy of the Notice of Privacy Practices?
Answer: The Notice of Privacy Practices is required to be given to the patient one time, at the earliest opportunity during the patient’s interaction with the facility or provider.
Question: We do IVF (in-vitro fertilization) in our area. Currently we provide a separate waiver that needs to be signed by the patient to release information to a third party. Should we continue to do this, or will the Notice of Privacy Practices cover this situation?
Answer: The UC Davis Health System HIPAA "Authorization for Release of Health Information" form replaces other releases currently in use.
Question: What if a patient asks, "How did you handle my information before?"
Answer: California law and health system policies and practices have afforded patients a high level of confidentiality for many years. To the extent that California law is more extensive or protective of the patient than HIPAA regulations, California law will still be followed.
Question: Is the Notice of Privacy Practices printed in multiple languages and if so what languages?
Answer: HIPAA regulation does not require the printing of the privacy notice in multiple languages. However, in order to promote good patient communication and to promote better understanding of patient privacy issues, the health system prints the Notice of Privacy Practices in three languages - English, Spanish, and Russian. These languages represent the predominant needs of health system patients and area demographics. For those patients needing additional interpreting, translation services, or audio support, you may contact Interpreting Services.
Question: Does Interpreting Services need any training on the Invision screen?
Answer: No, Interpreting Services will not be making entries on the Invision screen to record receipt of the acknowledgment form.
Question: Does health system Employee Health Services (EHS) need to distribute the Notice of Privacy Practices (NPP) and obtain signed acknowledgment from employees seen in EHS?
Answer: No, EHS is not performing functions as a provider under HIPAA regulations.
Question: If the clinic chooses to mail the NPP to new patients, should they also send the acknowledgment for the patient to sign and return at their visit?
Answer: Clinic may include the NPP and acknowledgement form in mailings to new patients and complete the Invision acknowledgement. If the patient, at the first visit, returns the signed acknowledgment form, the paper copy is forwarded to Health Information Management for filing.
Question: If a minor has an appointment in the Birth Control clinic without parental consent, can the minor sign the acknowledgment for NPP?
Question: Our clinic has targeted an outreach to the Latino population and will regularly use the Spanish translation of the NPP. Does the clinic bear the expense of the NPP booklet?
Answer: Yes, the English, Spanish, and Russian NPP booklets are obtained through Purchasing with charge to appropriate clinic/cost center as with supply of any other health system forms.
Question: In the situation where a health system provider sees patients in a convalescent hospital, but the patients are never seen in a health system clinic, what is the provider’s obligation regarding the NPP?
Answer: The health system representative needs to check status of outside facility. If the health system provider has privileges at another hospital or a skilled nursing facility and sees patients at those facilities, the provider can be part of an organized health care arrangement (OHCA) or part of the work force at the outside facility in which case the NPP distributed by the facility is on behalf of the provider and the facility. If however, the other facility does not distribute a NPP, or is not an OHCA, or does not consider the provider as part of the work force, the health system provider should distribute a health system NPP, obtain a signed acknowledgment and file in Medical Records if it is a registered patient or at the physician’s clinic site.
Question: The HIPAA NPP is printed in English, Spanish, and Russian. Is there a recording or other service available for blind patients?
Answer: If a vision-impaired patient requests an accommodation to read the NPP, please let the patient know that services available for vision-impaired patients includes asking a volunteer in the unit/department/clinic to read the NPP aloud to the patient or the unit/department/clinic may call Interpreting Services for assistance.
Question: The parent of a minor is given the Notice of Privacy Practices on behalf of the minor. At what age is the health system obligated to give the Notice of Privacy Practices to an individual.
Answer: When a minor turns 18 years of age, the health system is responsible for providing the Notice of Privacy Practices and obtaining acknowledgment from the patient. It is anticipated that the on-line system to track provision of Notice of Privacy Practices will be programmed to provide an alert when a current minor turns 18, so that the Notice of Privacy Practices can be provided directly to the minor at the next encounter.
Question: Does the Alzheimer’s Clinic need to use the Mental Health Notice of Privacy Practices (MH-NPP)for psychology fellows and interns and for psychometrist?
Answer: The MH-NPP should be used if psychologists or psychiatrists are providing mental health treatment. If psychologists and psychiatrists are doing a mental health assessment, evaluation, or screening, this is a medical treatment and the medical NPP is used.
Question: If a nurse performs a screening exam on a patient to determine their cognizant level to assist the provider in decisions regarding the need for testing, should the MH-NPP be used?
Answer: No, screening activities do not require the MH-NPP, only the regular NPP.
Question: Is the Health System electronic access surveillance program only used to monitor access by known or suspected employees with a history of violating privacy and security policies.
Answer: The surveillance program monitors access by all workforce within the scope of each scheduled surveillance.
Question: When will computer audit trails be operational? In other words, at what point will Big Brother know whose files you looked at on your computer?
Answer: Audit trails are operational now and the health system is actively increasing its capability in this area.
Question: I am an employee in a Health System clinic. Can I use the electronic system to lookup my upcoming clinic appointment in Family Practice as I have forgotten the exact date and time?
Answer: No. In accordance with HIPAA regulation and Health System Policy 2454 Employee Access to Protected Health Information employees shall only access patient information and records for the sole purpose of performing employment duties and responsibilities.
Question: Do employees at the Health System who are also patients within the Health System have an advantage since their employment status allows them access to patient electronic information?
Answer: No. Employees who are patients at the Health System are prohibited from using their status and electronic system access as employees in their role as a patient. In other words, employees may not have any access except that normally granted to any Health System patient.
Question: I am concerned about a co-worker in my department who is out on an extended medical leave. In order to send the co-worker a get well card and words of encouragement, is it O.K. to access the electronic systems to get the correct mailing address?
Answer: No. Employees should only use the electronic systems as required by specific job functions. No matter how well intended or harmless, employees can be sanctioned for accessing PHI outside of required job functions.
Question: How should you dispose of white confidential material trash bags?
Answer: Confidential documents should be placed in trash containers with white liners. These white bags are collected daily by Environmental Services, securely transported, and processed in accordance with health system P&P 1450 "Confidential Material Destruction Procedures." If your unit does not have a trash container for confidential materials and you have such materials in your unit, contact Environmental Services for placement of an appropriate trash container and addition to the collection schedule.
Question: Do we have shredders in every clinic?
Answer: No, we do not have shredders in every clinic. See question on confidential material destruction.
Question: Can we leave a message for a patient on their voice mail/answering machine?
Answer: Yes, the practice of leaving messages on the patient’s voice mail/answering machines is appropriate unless the patient has requested and the health system has agreed to a restriction in this area. The minimum necessary information should be left in the message with thoughtful consideration to patient confidentiality.
Question: Can we use e-mail?
Answer: Yes. Refer to health system P&P 2442. This policy should be followed when using e-mail for patient to provider communication or any communication with patient information.
Question: Is it okay for providers (physicians and nurses) to put their e-mail address on their business cards and communicate via e-mail with patients?
Answer: HIPAA does not prohibit the use of e-mail, but health system P&P 2442 regarding e-mail should be followed. There is no HIPAA prohibition against the use of e-mail addresses on business cards. At this time, the health system has designated Lotus Notes as the only approved electronic mail services for e-mail containing PHI.
Question: What type of confidentiality statement should be included on fax cover sheets?
Answer: Sample language could be "This is a confidential patient-related communication. If you have received this facsimile in error, please notify the sender and destroy this copy" or "Confidential Notice - This fax may contain protected health information of a personal and sensitive nature related to an individual’s health care. As recipient, you are obligated to maintain it in a safe, secure, and confidential manner. Re-disclosure without additional patient authorization or as permitted by law is prohibited. This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying, or distribution of this information is strictly prohibited. If you have received this message by error, please notify the sender immediately to arrange for return or destruction of these documents."
Question: How does HIPAA affect employee health?
Answer: To the extent that employee health services are employment related, e.g., pre-employment physical and ongoing screening for communicable diseases, and the employee is not billed for those services, it is not necessary to give the employee a Notice of Privacy Practices. Employee health services are considered part of approved employment operations permitted under HIPAA.
Question: How does HIPAA affect the Employee Assistance Program and employee counseling/evaluation records?
Answer: All such records should be treated as confidential. The Employee Assistance Program is acting as a service available to employees and is not functioning as a provider of care. Notice of Privacy Practices is not needed in this situation.
Question: Under HIPAA is there individual/personal liability for a violation and institutional liability?
Answer: If the violation or inappropriate disclosure was a function of a system or process at the health system, liability rests with the institution. An individual employee may be liable for their actions in violation of HIPAA if the employee was not functioning within the course and scope of employment.
Question: In the case of providers who have privileges at outside hospitals, are they authorized to sign Medical Staff related documents concerning an organized health care arrangement between that facility and that outside Medical Staff?
Answer: Yes, if the documents are related to provider’s Medical Staff privileges at the outside facility.
Question: Is there a hard copy of all patient information in the medical record or is some only electronic?
Answer: Some portions of the patient’s health care records are held electronically and some are hard copy. Generally, all electronic reports and data are printed and filed in the medical record after discharge.
Question: Do shadow files need to be locked up at night?
Answer: Yes. Shadow records maintained in clinics should be treated the same as the official medical records, in that they are maintained in a secure location. In addition, other patient information not necessarily contained in the shadow file should be placed in folders, put in drawers, overhead flippers, etc., when not in use. Any documents containing protected health information should not be left where others may inappropriately review or use such documents.
Question: Is it permissible to allow a patient to hand-carry their chart from one clinic visit to another when the time between appointments does not allow the second clinic to request and receive the medical record via the normal process?
Answer: Health system P&P 2381 Request for Release of Medical Records states “HBCs may have the patient hand carry his/her original records when multiple appointments necessitate the immediate transfer of the records to another HBC. Special, marked, confidential envelopes are designated for use in this situation. This is discretionary and should not occur if there is reason to believe that the patient may tamper with the records.”
Question: The Burn Unit has a newsletter for burn patients. What is the appropriate process to follow to continue to use patient name and address on the mailing list?
Answer: The health system is allowed under HIPAA to communicate with patients regarding services provided and general information about the health system. No authorization is needed for this type of communication. However, the communication cannot include fund-raising information. Patient authorization is needed for fund-raising communications based upon the patient’s diagnosis.
Question: What do we do in the Emergency Room when we are discussing a patient’s condition and other patients are within earshot?
Answer: In open treatment areas, such as the Emergency Room, providers should use reasonable precaution to protect patient privacy - close cubicle curtains when possible, keep a low voice. This practice is referred to as an incidental disclosure under HIPAA and is allowed if reasonable precautions are taken to protect patient confidentiality.
Question: Can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?
Answer: Yes, covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain "incidental disclosures" that occur as a by-product of an otherwise permitted disclosure - for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. However, these "incidental" disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem).
Question: A clinic customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. Will the Privacy Rule allow the clinic to continue this practice?
Answer: Yes, the HIPAA Privacy Rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy. The physician or other health care professionals use the patient charts for treatment purposes. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguard requirements are met. As the purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination, the minimum necessary requirement would be satisfied. Examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. Each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.
Question: Is it a violation under HIPAA for recognized union stewards or representatives to walk through a clinic or patient care area where they may be exposed to confidential patient information.
Answer: UCD P&P 380-21 addresses appropriate access to meeting rooms and facilities by union stewards or union representatives for the purpose of interacting with employees. This policy should be followed. Work areas deemed to be inappropriate and thus prohibited from use of such business include patient care, clinical laboratories, and clinical areas.
To the Patient
Question: Patients who want to keep track of their tests results often request their labs so they can log them. What information can be given to the patient?
Answer: Patients have the right to request to view and copy their medical record through a process outlined in the Notice of Privacy Practices - "written requests to Health Information Management Services." It is appropriate to share with the patient test results and the outcome of treatment related to the current visit or encounter, i.e.; you may give the patient a copy of their sonogram, labs, or other test results. If the patient requests more detailed historical documents and records from the chart, the patient should be referred to Health Information Management Services.
Question: When transporting patients, can they look at their charts, since it is being transported with them?
Answer: Patients have a right to request to review and copy their chart. The health system may impose reasonable conditions for access to the patient record. One of our responsibilities is to prevent inappropriate alterations of the record. Review of the patient record during transport is not an appropriate method to obtain patient information as it increases the risk of inappropriate alteration. The patient should be referred to Health Information Management Services.
Question: Can a patient see their sonogram?
Answer: See question on requests for lab results. The provider may give patients the results of tests or treatment outcomes relative to the current patient encounter. Contact Health Information Management Services for more information.
Question: It is the practice in our clinic to give the patient a copy of their visual exam results when this information is required by the Department of Motor Vehicles to qualify for driver’s license renewal. Is this practice appropriate under HIPAA?
Answer: Yes. It is appropriate to provide the patient with a copy of their test results or outcome of treatment specific to that encounter or purpose of the visit. In this case, the information is released to the patient, not disclosed by us to the Department of Motor Vehicles, so no disclosure tracking is needed.
To Relatives and Friends
Question: If a mother requests information about her infant, can the nurse verbally tell her versus allowing her to read the chart?
Answer: Yes. If a mother is speaking with a nurse and request information about her infant, the nurse can share with the mother information normally provided by nurses or as directed by the physician.
Question: If a minor requests that information not related to reproductive health be sent to another address, is that permissible?
Answer: No. Requests regarding non-reproductive information of a minor must come from the adult/parent.
Question: What information about a minor can be withheld from the parent?
Answer: The minor can request that reproductive issues not be shared with the parent. However, if the parent is the guarantor on the billing account, the parent has access for payment purposes to all information. Minors wanting to completely bar access to information related to reproductive issues should not use a parent’s insurance or otherwise have the parent as guarantor.
Question: Can a person who has power of attorney for health care sign authorization forms on behalf of the patient.
Answer: An individual with power-of-attorney for health care or other similar legal status is the patient’s representative and legally "stands in the shoes of" the patient and may authorize use or disclosure of patient information as though he or she was the patient.
Question: Can we talk to a spouse regarding a patient’s care? How should we deal with the patient’s family in a situation where the family may not know that the patient has an infectious disease?
Answer: See "Friends, relatives, neighbors" for more information and examples. The health system may disclose to a family member, other relative, or close personal friend of the patient or any other person identified by the patient, protected health information directly related to such persons involvement in the individual’s care or payment related to the individual’s health care if:
- the patient agrees;
- the patient has had an opportunity to object to the disclosure, and did not;
- based on the exercise of professional judgment, it appears that the patient would not object to the disclosure; or
- in cases where the patient is not present or incapacitated, the disclosure is in the best interests of the patient, based on the exercise of professional judgment.
To Other Providers
Question: Can the health system disclose patient information to outside referring physicians and hospitals?
Answer: Patient information may be shared, e.g., discharge summary, history and physical, op report, etc., with referring physicians for patient care purposes. Likewise, information may be shared with referring hospitals when both facilities have a role in providing care to the patient.
Question: I work in the Transfer Center and receive calls from other hospitals wanting faxed copies of patient information. What is the appropriate response and do we need patient authorization?
Answer: Protected health information can be shared with other health care providers for the purpose of treating the patient. No patient authorization is needed. Care must be taken to see that the fax goes to the correct destination and that a person is at the receiving end to pick up the fax or that the machine is in a secure location. A fax policy will be developed soon.
Question: If another hospital calls to ask if a patient has been a health system patient in the past, can we disclose this information?
Answer: It is appropriate to share patient information in response to questions from other hospitals if the other facility is involved in the patient’s treatment. No patient authorization is needed. If you are unsure of the identity of the requestor, confirm it before releasing information.
Question: Due to a request from an outside payer, it has been our past practice to include the patient’s date of birth and social security number on clinic notes when transcribed. Transcription templates have been revised to include this information. Is it proper by HIPAA guidelines to include the social security number on patient notes?
Answer: Patients social security numbers should not be sent to any party that does not really need it. Replacing the social security number with the last four digits should work in most cases, as the other entity should still be able to positively identify the patient. Transmit the full social security number only if absolutely necessary.
Question: Can PHI be shared with other health care providers (e.g., ambulance companies)?
Answer: Yes, the health system can release patient information without patient authorization and without tracking disclosure if the information is requested/needed for payment purposes of the other health care providers.
Question: Can a patient opt out of the health system directory?
Answer: Yes, in accordance of the Notice of Privacy Practices, a written request should be directed to Health Information Management Services for processing.
Question: During inpatient case conference (forum to discuss a rehabilitation unit inpatient’s medical and rehabilitation progress) an insurance payer case manager is present to listen to the patient’s status. Is disclosure allowed?
Answer: To the extent that the purpose and focus of PM&R inpatient case conference is to address patient care issues, rehabilitation progress, continuing care plans, eligibility issues, authorization, and payment issues, the functions are covered under "treatment and payment" and patient authorization is not needed. Disclosure tracking is not needed. Minimum necessary information should be disclosed. Organize case discussions so that insurance payer case managers only participate in cases relevant to their functions.
Question: What type of consent or authorization is necessary for an outside firm to provide photography services of newborns?
Answer: The health system provider (nurse or physician) needs to obtain the parent’s authorization for release of PHI to the photography firm. With appropriate, signed authorization, the outside photography service may then interact with the patient and family.
Question: Health system faculty may keep teaching files containing PHI on computers, film or disks within the department. This information is intended for use in-house teaching and training. Can this PHI be used for teaching and education purposes without the patient’s authorization?
Answer: Yes, patient information may be used for in-house teaching purposes covered under health care operations. The minimum necessary rule applies. In addition, the teaching files should be maintained in a secure environment.
Question: If the medical record is used and portions of it disclosed as part of the request for production and/or deposition, is that disclosure trackable under HIPAA?
Answer: Use or disclosure of protected health information (PHI) in support of a health system malpractice case management is appropriate as part of health care operations and as such it is not necessary to track this disclosure.
Question: If the medical record is used in court as part of the testimony of a health system employee, is that use and disclosure trackable?
Answer: The university may use PHI to manage legal issues and it is not necessary to track disclosure. If records are produced under subpoena or court order, that disclosure must be tracked.
Question: Federal regulations require the health system to have a contract with and make referrals to organ and tissue donation organizations to support organ donation and transplant issues. What portion of organ and tissue disclosures are trackable?
Answer: The health system, when listing transplant patients with UNOS is required to disclose certain PHI. This disclosure is not trackable as it is in support of ongoing patient care and/or performance improvement activities. Disclosure of PHI to an organ procurement organization or eye and tissue bank is trackable under HIPAA. Tracking of these disclosures will be coordinated through Decedent Affairs.
Question: The health system submits an annual report to the state of California Office of Statewide Health Planning and Development (OSHPD) in accordance with state law. Is disclosure of that PHI trackable?
Answer: The mandated annual report to OSHPD is part of health care operations, specifically population-based studies to improve health care and planning, and as such is not trackable.
Question: If a provider is asked by a funeral director to sign the death certificate and confirm cause of death or diagnosis, does that constitute a trackable disclosure under HIPAA?
Answer: Yes, disclosure of PHI to the coroner, medical examiner, or funeral director is trackable.
Question: In accordance with state law, patients diagnosed with dementia are reported to the County/DMV. Is this a trackable disclosure?
Answer: Yes, the disclosure to the DMV must be tracked in the Disclosure Tracking Database.
Question: As part of the E5 Rehabilitation Unit discharge, therapists will provide to the patient’s school, clinical information regarding therapeutic reintegration. The information is needed by the school system to provide educational or other accommodations. Is disclosure required?
Answer: Disclosure of rehabilitation discharge information (therapists provide patient’s school with clinical information regarding therapeutic reintegration - information needed by the school system to provide educational or other accommodations) to outside entity (not a health care provider) requires a signed authorization by the patient or patient’s representative. With signed authorization, you may share specific PHI with the school and no disclosure tracking is necessary.
Question: Is the release of PHI on the Workers' Compensation First Report of Injury form or other Workers' Compensation forms, a disclosure that must be tracked under HIPAA?
Answer: Disclosures of PHI in Workers' Compensation cases is not trackable if the disclosure is for the purpose of payment of health system services or treatment of the patient. Subpoenas received in support of final settlement or disposition of Workers' Compensation cases should be directed to Health Information Management Services.