Frequently, hospitals and other healthcare providers will want to conduct HIPAA medical surveys or questionnaires of patients, to determine whether patients were satisfied with the quality of care and services that they received. The HIPAA Privacy Rule generally permits hospitals to conduct such surveys.
Are HIPAA Medical Surveys Considered “Healthcare Operations”?
Generally, covered entities may disclose protected health information (PHI) to facilitate healthcare operations, without first having to obtain a patient’s express written authorization. Under the HIPAA Privacy Rule, covered entity providers may conduct HIPAA medical surveys that constitute “quality assessment and improvement activities,” as part of their healthcare operations.
Surveys or questionnaires that are aimed at determining whether patients were satisfied with the level of care they received, are regarded as quality assessment and improvement activities. As such these surveys constitute healthcare operations, which can be facilitated through PHI disclosure.
However, such HIPAA medical surveys should not be construed as vehicles through which to free-roam over patient privacy. Indeed, before a hospital may engage in these activities, the hospital must indicate, in its Notice of Privacy Practices, that it may use identifiable information as part of its healthcare operations.
The notice of privacy practices is a document that healthcare providers and health plans must, under the HIPAA Privacy Rule, give to patients. The Notice of Privacy Practices must advise patients how healthcare providers may share and use patient health information. The notice must also include a statement of health privacy rights. Patients typically are given the notice on their first visit to a provider, or in the mail from their healthcare plan. Patients may also ask for a copy of the notice at any time.
The notice must specifically address:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
The notice must include an effective date. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.