HIPAA for Professionals

Professionals – individuals licensed to provide services in a particular field, such as law, medicine, or accounting – are often required to comply with HIPAA. Doctors, as healthcare providers, are required to comply with HIPAA; the law explicitly provides that covered entities (healthcare providers, healthcare clearinghouses, and health plans) must be HIPAA compliant. 

HIPAA for Professionals

Other professionals, including those working in law, insurance, or accounting, may be business associates of covered entities. These professionals must also be HIPAA compliant. HIPAA for professionals requires professionals to understand the HIPAA Privacy Rule and the HIPAA Security Rule requirements. This article discusses HIPAA for professionals in the context of the HIPAA Privacy Rule.

HIPAA for Professionals: What Do Professionals Need to Know?

HIPAA for professionals consists of the same obligations as HIPAA compliance in general. Whether a professional organization’s business is that of healthcare, health insurance, or is something non-healthcare-related, HIPAA for professionals involves understanding some key Privacy Rule concepts:

  • The Privacy Rule provides federal protections for protected health information held by covered entities, and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of protected health information needed for patient care and other important purposes.
  • The Privacy Rule does not require covered entities to obtain a signed consent form before sharing information for treatment purposes.  Healthcare providers can freely share information for treatment purposes without a signed patient authorization.
  • The Privacy Rule does not require you to eliminate all incidental disclosures.  The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures.  Incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.
  • The Privacy Rule does not cut off all communications between you and the families and friends of patients. As long as the patient does not object, The Privacy Rule permits covered entities to:
    • Share needed information with family, friends, or anyone else a patient identifies as involved in his or her care;
    • Disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition; and
    • Share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  • The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can: 
    • Be listed in the hospital directory;
    • Be given to people who call or visit and ask for the patient; and
    • Be given to clergy along with religious affiliation–when provided by the patient–even if the patient is not asked for by name.
  • The Privacy Rule does not prevent child abuse reporting.  Covered entities may continue to report child abuse or neglect to appropriate government authorities. In some cases, covered entities may be required to do so. 
  • The Privacy Rule does not prevent disclosure of PHI for law enforcement purposes. Covered entities may generally disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances: 
    • As required by law (including court orders, court ordered warrants, subpoenas) and administrative requests; 
    • To identify or locate a suspect, fugitive, material witness, or missing person; 
    • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime; 
    • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
    • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
    • By a covered healthcare provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
  • The Privacy Rule is not anti-electronic. Under the Privacy Rule, covered entities can communicate with patients, providers, and others by email, telephone, or facsimile, with the implementation of appropriate safeguards to protect patient privacy. The Privacy Rule does, however, impose special requirements for the destruction of “paper” PHI. The Department of Health and Human Services (HHS) has developed guidance related to PHI disposal methods. Under this guidance, proper paper PHI disposal methods may include, but are not limited to:
    • Shredding,
    • Burning,
    • Pulping,
    • Pulverizing, or
    • Other methods that render PHI unreadable and unable to be reconstructed.

Proper PHI disposal may also be accomplished by:

  1. Maintaining labeled prescription bottles and similar forms of PHI in a secure area in opaque bags; and 
  2. Using a business associate disposal vendor to remove and shred or otherwise destroy the PHI.

See How Our Software Can Help With