Welcome to the new Outpatient Surgery website! Check out our login FAQs.
Take the HIPAA Privacy Rule Quiz
Test your knowledge of the Privacy Rule and what it really means for your facility.
Kimberly Greaves
Publish Date: June 9, 2008   |  Tags:   Regulatory Affairs
As I've talked with facility managers about the HIPAA Privacy Rule, two things have struck me - most everyone has a general understanding of the Privacy Rule (perhaps because we've been talking about it for so long) and very few people clearly understand what the Privacy Rule says providers must do, and by when.

What about you? Take a few minutes to test your knowledge of the Privacy Rule and what it means for your facility.

1. Your facility must have a Privacy Notice.
a. true
b. false

Answer: True. Your facility must have a Privacy Notice.

2. Your Privacy Notice must describe:
a. how you will use/disclose protected health information
b. how patients can gain access to their protected health information
c. patients' rights regarding privacy, including the right to file a complaint
d. all of the above

Answer: D. Your privacy notice must describe all these things in plain language.

3. Your Privacy Notice must be:
a. posted in the reception area and mailed to all patients
b. shown to the patient every time he comes for care
c. presented to the patient once, with documentation that the patient received it
d. all of the above

Answer: C. The primary requirement is that you present the patient with the Privacy Notice once, and then have him initial a copy to acknowledge receipt. Keep the copy in the patient chart. If you cannot obtain an acknowledgement from the patient, document that you made a good faith effort to do so, and state why you didn't obtain the acknowledgment.

6 Things HIPAA Does Not Require

4. You must obtain the patient's written consent to use or disclose protected health information under any circumstances.
a. true
b. false

Answer: False. The August 2002 modifications to the Privacy Rule deleted the written consent requirement when you use or disclose protected health information to treat the patient, to get paid for healthcare services or for healthcare operations of your facility. You may also share protected health information with another provider for that provider's treatment of the patient, to assist the provider in obtaining payment for services or for that provider's healthcare operations. Note, however, that if the provider has or had a relationship with the patient, the information pertains to that relationship and the healthcare operations purposes are limited to detection of fraud and abuse; quality assessment/assurance activities or provider competency reviews.

What is Protected Health Information?

5. Your facility can be held liable for any type of use or disclosure of protected health information, such as an overheard conversation between staff members.
a. true
b. false

Answer: True and False. The Privacy Rule acknowledges that incidental and/or unintended uses or disclosures might occur during the delivery of health care. However, you must take reasonable precautions to protect patients' privacy and minimize incidental and unintended uses or disclosures of information. If a facility takes reasonable precautions, and some protected health information is disclosed incidental to an otherwise permissible use or disclosure, the facility will not be considered in violation of the Privacy Rule. If a facility does not take reasonable precautions and some protected health information is disclosed, the facility may be in violation of the Privacy Rule. The key is "appropriate" safeguards - which are determined by assessing what reasonable steps can your facility and staff take to minimize prohibited uses and disclosures of patient information.

A closely related and very important Privacy Rule concept is the "minimum necessary rule," which requires providers to ensure that only the minimum amount of information is used even for permitted uses or disclosures. Physicians and nurses may need access to all of the patient's privileged information, but the receptionist does not. You should take steps to restrict the receptionist's access to only the information needed to do her job, which may be as limited as the patient's name, contact information and the physician's name. You could password-protect access to information in computers or place contact information in the front of the patient's paper chart and implement policies that prohibit the receptionist from reviewing information other than the contact information.

Remember this: If you restrict access to patient information, and the receptionist still accesses and/or discloses the patient's protected health information, your facility has not violated the Privacy Rule. But if you don't restrict access to the minimum amount necessary, and the receptionist discloses confidential information, your facility may face penalties for violation of the Privacy Rule.

HIPAA To Do List

6. When treating children, you must protect their treatment information, even from their parents or legal guardians.
a. true
b. false

Answer: False. The Privacy Rule defers to state law regarding the withholding of information about a child's health care from a parent. In general, the parent, guardian or person acting in loco parentis is considered to be the child's personal representative and is allowed access to a child's healthcare information, unless state law restricts parental access. If state law prohibits you from informing parents of certain procedures (such as pregnancy tests or abortion), then you may not disclose this information to parents.

7. You must still obtain written patient permission in some situations.
a. true
b. false

Answer: True. You must obtain written patient permission, referred to as an authorization, to use or disclose protected health information for any purposes other than treating the patient, obtaining payment or performing healthcare operations, unless an exception applies. In general, this would include marketing products and services, sharing patient information with a company that will market products and services to the patient, conducting research or providing information to a life insurance company.

8. The Privacy Rule defines marketing as any communication regarding products or services that the patient may purchase.
a. true
b. false

Answer: False. The recent modifications to the Privacy Rule narrow the definition of marketing to a communication that encourages the patient to purchase or use a product or service. Before using any protected health information for marketing, you must obtain the patient's written authorization. But you may market to a patient on a face-to-face basis without obtaining the patient's authorization. If a company is paying you to market a product or service on its behalf, you must inform the patient.

You do not need to obtain the patient's authorization to send a notice reminding her to schedule a mammogram, informing her of a drug recall or advising her of health or wellness classes You may also send educational materials or information about a specific device or drug that might be used in the patient's treatment.

Without obtaining written patient authorization, you may use or disclose protected patient information as required or permitted by law due to overriding public interests, including public health concerns, governmental functions, certain medical research, reporting abuse, neglect or a crime, and cooperating with law enforcement. If the patient information has been stripped of all information that could be traced back to the patient, then you may use or disclose it in any manner.

9. A business associate not involved in the treatment of patients (auditors, lawyers, billing firms, accreditation organizations) requests information that could be traced back to individual patients. You must:
a. obtain an authorization from each patient
b. require the business associate to sign a written agreement to protect patients' privacy
c. both a and b
d. none of the above

Answer: B. You may share information with business associates (those who use or disclose protected health information on your behalf) without obtaining each patient's authorization if the business associate provides reasonable assurances (in writing) that it will safeguard protected patient information. The Privacy Rule outlines the specific requirement for such written agreements. You're not required to monitor the business associate's activities, but you must act if you learn of an improper use or disclosure of protected health information, including terminating your relationship with the business associate or reporting the problem to the Office of Civil Rights (the department within the Department of Health and Human Services that has HIPAA enforcement and oversight authority).

10. Providers must have HIPAA Privacy Rule changes in place by:
a. Oct. 15, 2002
b. Apr. 14, 2003
c. Jan. 1, 2003
d. none of the above

Answer: B. The recent modifications to the Privacy Rule became effective on Oct. 15, 2002, but that is not the compliance date. You must have your HIPAA changes in place by Apr. 14, 2003.

Full compliance
So, how'd you do? Hopefully you answered all or most of the 10 questions correctly and you're well on your way to understanding HIPAA's Privacy Rule requirements and educating others in your facility. Keep in mind that these questions merely touch on some of the major requirements of the Privacy Rule.

When it comes to complying with HIPAA, the federal government is not expecting a general understanding - it expects full compliance. And HIPAA has teeth. The lowest civil penalty is a $100 fine for each violation of a Privacy Rule standard, with a maximum of $25,000 per year per provider per standard violated. If you obtain patient information with the purpose of selling it for commercial advantage, personal gain or malicious harm, criminal penalties can be imposed that may be as high as $250,000 plus a 10-year jail sentence. Penalties can be levied against you or a staff member and the facility. In some circumstances, you can even be sanctioned for violations by one of your business associates.

Ms. Greaves ([email protected]) is a healthcare attorney with Morris Manning and Martin, LLP, in Atlanta.