HIPAA. The elephant in the room, or the Hippo, depending on who you talk to 🙂
I love this Myth and Fact list…. It is really concise, and answers a lot of questions.
However, there are other things that hospitals and physician practices need to get over about HIPAA. If they want these rules to be part of their personnel or operations manual, great. However, they are NOT HIPAA Violations:
- Showing a parent the medical information about their minor child. This is specifically controlled by state law. Minor Children do not have to sign a release form for their parents to be able to get their medical information. There are a few exceptions to that.
- Examples of organizations that do not have to follow the Privacy and Security Rules include:
- Life insurers
- Workers compensation carriers
- Most schools and school districts
- Many state agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
- Completely de identified health information. When you do not give a patient’s age, sex, location, a specific description of an injury, identifying information in the patient’s history (ie, patient has had three stillbirths) name, address, telephone number, email address, family names, etc….you have violated NOTHING. “OMG This patient is KILLING ME” is not a HIPAA violation. However, your employer has the right to say that you are not allowed to mention work at all on social media.
- “We are understaffed” NOT A HIPAA VIOLATION. Nice try, healthcare organization. Your employer should not have a right to regulate that, and quite frankly should have to disclose it to all patients depending on care at the facility. IJS.However, at this point they can tell you you are not allowed to post about the facility on social media.
- The HIPAA Privacy Rule allows physicians and staff to use and disclose PHI without a patient’s written authorization for purposes related to treatment, payment, and health care operations. It further defines “health care operations” to include “to conduct training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” So you do not need permission to use a case with de identified health information as a case study. However, you must use the minimum amount of PHI possible, and it must stay within the organization. Transmitting it elsewhere is different.
- Treatment, Payment, and Healthcare operations rules can be found here
HIPAA is actually pretty simple. Don’t tell people about other people’s medical conditions who have no business knowing about them. A ton of the ‘rules’ we follow are myths and ridiculous. If you make a mistake, document it and don’t do it again.
My Son, Alexander was killed on February 18, 2011 at the age of 17, two months before his 18th birthday. I received a bill from the EMS provider and called to ask for an itemized statement in June. I was told that he had not released his medical information to me in writing. I said that I was his mother, and that he was dead. The company stated that he was an adult and had to sign to give me permission to have the statement. I told the person that he actually died as a minor. She said, “But he is over 18 now.”
I declined to pay.
JanieShare this post with friends!
Want More? Click below to follow us!