Document

Download Report

Transcript Document 

HIPAA
Privacy
GETTING HIPAA PRIVACY TO FLY…
…A REALISTIC, PRACTICAL APPROACH
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
2
HIPAA Privacy

(What it is NOT)




Electronic Data Interchange
Medicare electronic claim regulations
Computer software regulations
EDI due in October 2003
Dr. Quack: Getting HIPAA to Fly
3
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
4
Background / History

HIPAA Privacy




1996 Federal law
Protects patient privacy
Gives patient access to their records
Allows patients to amend their records
Dr. Quack: Getting HIPAA to Fly
5
Background / History


Constantly morphing process over years
Finally gelled last quarter of 2002


Final federal rules published in October
OCR Guidelines published in December
Dr. Quack: Getting HIPAA to Fly
6
Background / History

AOA HIPAA Privacy Manual published




160 pages
Charts (directions)
Worksheets
Policy suggestions
Dr. Quack: Getting HIPAA to Fly
7
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
8
Review of
Notice of Privacy Practices

Policy 14B on pages 31-32 & copy for
posting at end of Manual
Dr. Platypus
et al
Dr. Donald Duck
and Daisy Duck
Dr. Daffy Duck
and Peking Duck
THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA
Dr. Quack: Getting HIPAA to Fly
9
Review of
Notice of Privacy Practices

This notice describes how medical information
about you may be used (in our office) or
disclosed (outside our office) and how you
can gain access to this information.
Dr. Quack: Getting HIPAA to Fly
10
Treatment, Payment and
Health Care Operations

The most common reason why we use or
disclose your health information is for
treatment, payment or health care operations
Dr. Quack: Getting HIPAA to Fly
11
Treatment, Payment and
Health Care Operations
Rx



Setting up an appointment for you;
Testing or examining your eyes;
Prescribing glasses, contact lenses, or eye
medications and
Dr. Quack: Getting HIPAA to Fly
12
Treatment, Payment and
Health Care Operations
Rx



Faxing them to be filled; showing you low
vision aids;
Referring you to another doctor or clinic for
eye care or low vision aids or services; or
Getting copies of your health information
from another professional that you may have
seen before us.
Dr. Quack: Getting HIPAA to Fly
13
Treatment, Payment and
Health Care Operations
$



Asking you about your health or vision care
plans, or other sources of payment;
Preparing and sending bills or claims; and
Collecting unpaid amounts (either ourselves
or through a collection agency or attorney).
Dr. Quack: Getting HIPAA to Fly
14
Treatment, Payment and
Health Care Operations

Administrative and managerial functions

Financial or billing audits;
Internal quality assurance;

Personnel decisions;

Dr. Quack: Getting HIPAA to Fly
15
Treatment, Payment and
Health Care Operations




Participation in managed care plans;
Defense of legal matters;
Business planning; and
Outside storage of our records.
Dr. Quack: Getting HIPAA to Fly
16
Treatment, Payment and
Health Care Operations


We routinely use your health information
inside our office for these purposes without
any special permission.
If we need to disclose your health
information outside of our office for these
reasons, we usually will not ask you for
special written permission.
Dr. Quack: Getting HIPAA to Fly
17
Treatment, Payment and
Health Care Operations

We will ask for special written permission
when it is required by law.
Dr. Quack: Getting HIPAA to Fly
18
Other Uses or Disclosures
Without Permission



In some limited situations, the law allows or
requires us to use or disclose your health
information without your permission.
Not all of these situations will apply to us;
Some may never come up at our office at all.
Dr. Quack: Getting HIPAA to Fly
19
Other Uses or Disclosures
Without Permission

When a state or federal law mandates that
certain health information be reported for a
specific purpose;
Dr. Quack: Getting HIPAA to Fly
20
Other Uses or Disclosures
Without Permission


For public health purposes, such as
contagious disease reporting, investigation or
surveillance; and
Notices to and from the federal Food and
Drug Administration regarding drugs or
medical devices;
Dr. Quack: Getting HIPAA to Fly
21
Other Uses or Disclosures
Without Permission




Disclosures to governmental authorities about
victims of suspected abuse, neglect or
domestic violence;
Uses and disclosures for health oversight
activities, such as for the licensing of doctors;
For audits by Medicare or Medicaid; or
for investigation of possible violations of
health care laws;
Dr. Quack: Getting HIPAA to Fly
22
Other Uses or Disclosures
Without Permission

Disclosures for judicial and administrative
proceedings, such as in response to
 Subpoenas
 Orders of courts
 Administrative agencies;
Dr. Quack: Getting HIPAA to Fly
23
Other Uses or Disclosures
Without Permission

Disclosures for law enforcement purposes,
such as
 To provide information about someone who
is or is suspected to be a victim of a crime;
 To provide information about a crime at
our office; or
 To report a crime that happened
somewhere else;
Dr. Quack: Getting HIPAA to Fly
24
Other Uses or Disclosures
Without Permission





Disclosure to a medical examiner to identify a
dead person or to determine the cause of
death; or
To funeral directors to aid in burial; or
To organizations that handle organ or tissue
donations;
Uses or disclosures for health related
research;
Uses and disclosures to prevent a serious
threat to health or safety;
Dr. Quack: Getting HIPAA to Fly
25
Other Uses or Disclosures
Without Permission

Uses or disclosures for specialized
government functions, such as
 For the protection of the president or high
ranking government officials;
 For lawful national intelligence activities;
 For military purposes; or
 For the evaluation and health of members
of the foreign service;
Dr. Quack: Getting HIPAA to Fly
26
Other Uses or Disclosures
Without Permission



Disclosures of de-identified information;
Disclosures relating to worker’s compensation
programs;
Disclosures of a “limited data set” for
research, public health, or health care
operations;
Dr. Quack: Getting HIPAA to Fly
27
Other Uses or Disclosures
Without Permission



Incidental disclosures that are an unavoidable
by-product of permitted uses or disclosures;
Disclosures to “business associates” who
perform health care operations for us and
who commit to respect the privacy of your
health information;
Other uses and disclosures affected by state
law.
Dr. Quack: Getting HIPAA to Fly
28
Uses & Disclosures:
Unless You Object…

Unless you object, we will also share relevant
information about your care with your family
or friends who are helping you with your eye
care.
Dr. Quack: Getting HIPAA to Fly
29
Uses & Disclosures:
Unless You Object…

Appointment Reminders


We may call or write to remind you of
scheduled appointments, or that it is time
to make a routine appointment.
We may also call or write to notify you of
other treatments or services available at
our office that might help you.
Dr. Quack: Getting HIPAA to Fly
30
Uses & Disclosures:
Unless You Object…

Appointment Reminders


We will mail you an appointment reminder
on a post card, and/or
Leave you a reminder message on your
home answering machine or with someone
who answers your phone if you are not
home.
Dr. Quack: Getting HIPAA to Fly
31
Uses & Disclosures:
Only With Authorization



We will not make any other uses or
disclosures of your health information unless
you sign a written “authorization form.”
Federal law determines the content of an
“authorization form”.
Sometimes, we may initiate the authorization
process if the use or disclosure is our idea.
Sometimes, you may initiate the process if it’s
your idea for us to send your information to
someone else.
Dr. Quack: Getting HIPAA to Fly
32
Uses & Disclosures:
Only With Authorization



Typically, in this situation you will give us a
properly completed authorization form, or you
can use one of ours.
If we initiate the process and ask you to sign
an authorization form, you do not have to
sign it.
If you do not sign the authorization, we
cannot make the use or disclosure.
Dr. Quack: Getting HIPAA to Fly
33
Uses & Disclosures:
Only With Authorization



If you do sign one, you may revoke it at any
time unless we have already acted in reliance
upon it.
Revocations must be in writing.
Send them to the office contact person
named at the end of this Notice.
Dr. Quack: Getting HIPAA to Fly
34
YOUR RIGHTS
Regarding your PHI

The law gives you many rights regarding your
health information….
Dr. Quack: Getting HIPAA to Fly
35
YOUR RIGHT to ask us to
restrict uses & disclosures



Ask us to restrict our uses and disclosures for
purposes of treatment (except emergency
treatment), payment or health care operations.
We do not have to agree to do this, but if we
agree, we must honor the restrictions that you
want.
To ask for a restriction, send a written request
to the office contact person named at the end
of this Notice. Use the address, fax or E Mail
shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
36
YOUR RIGHTS: Confidential
Communication

Ask us to communicate with you in a
confidential way, such as
 by phoning you at work rather than at
home,
 by mailing health information to a different
address, or
 by using E-mail to your personal E Mail
address.
Dr. Quack: Getting HIPAA to Fly
37
YOUR RIGHTS: Confidential
Communication


We will accommodate these requests if they
are reasonable, and if you pay us for any
extra cost.
If you want to ask for confidential
communications, send a written request to
the office contact person named at the end of
this Notice. Use the address, fax or E Mail
shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
38
YOUR RIGHTS: Photocopies


Ask to see or to get photocopies of your
health information.
By law, there are a few limited situations in
which we can refuse to permit access or
copying.
Dr. Quack: Getting HIPAA to Fly
39
YOUR RIGHTS: Photocopies


For the most part, however, you will be able
to review or have a copy of your health
information within 30 days of asking us (or
sixty days if the information is stored off-site).
You may have to pay for photocopies in
advance.
If we deny your request, we will send you a
written explanation, and instructions about
how to get an impartial review of our denial if
one is legally available.
Dr. Quack: Getting HIPAA to Fly
40
YOUR RIGHTS: Photocopies


By law, we can have one 30 day extension of
the time for us to give you access or
photocopies if we send you a written notice
of the extension. [Nebraska?]
If you want to review or get photocopies of
your health information, send a written
request to the office contact person named at
the end of this Notice. Use the address, fax or
E Mail shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
41
YOUR RIGHTS:
Amending your PHI



Ask us to amend your health information if
you think that it is incorrect or incomplete.
If we agree, we will amend the information
within 60 days from when you ask us.
We will send the corrected information to
persons who we know got the wrong
information, and others that you specify.
Dr. Quack: Getting HIPAA to Fly
42
YOUR RIGHTS:
Amending your PHI

If we do not agree, you can write a
statement of your position, and we will
include it with your health information along
with any rebuttal statement that we may
write.
Dr. Quack: Getting HIPAA to Fly
43
YOUR RIGHTS:
Amending your PHI


Once your statement of position and/or our
rebuttal is included in your health
information, we will send it along whenever
we make a permitted disclosure of your
health information.
By law, we can have one 30 day extension of
time to consider a request for amendment if
we notify you in writing of the extension.
Dr. Quack: Getting HIPAA to Fly
44
YOUR RIGHTS:
Amending your PHI

If you want to ask us to amend your health
information, send a written request, including
your reasons for the amendment, to the
office contact person named at the end of
this Notice. Use the address, fax or E Mail
shown at the beginning of this Notice
Dr. Quack: Getting HIPAA to Fly
45
YOUR RIGHTS:
Lists of PHI disclosed


Get a list of the disclosures that we have
made of your health information within the
past six years (or a shorter period if you
want).
By law, the list will not include: disclosures
for purposes of treatment, payment or health
care operations; disclosures with your
authorization; incidental disclosures;
disclosures required by law; and some other
limited disclosures.
Dr. Quack: Getting HIPAA to Fly
46
YOUR RIGHTS:
Lists of PHI disclosed



You are entitled to one such list of disclosures
per year without charge.
If you want more frequent lists, you will have
to pay for them in advance.
We will usually respond to your request
within 60 days of receiving it, but by law we
can have one 30 day extension of time if we
notify you of the extension in writing.
Dr. Quack: Getting HIPAA to Fly
47
YOUR RIGHTS:
Lists of PHI disclosed

If you want a list of disclosures, send a
written request to the office contact person
named at the end of this Notice. Use the
address, fax or E Mail shown at the
beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
48
YOUR RIGHTS:
Copies of Privacy Practices




Get additional paper copies of this Notice of
Privacy Practices upon request.
It does not matter whether you got one
electronically or in paper form already.
If you want additional paper copies, send a
written request to the office contact person
named at the end of this Notice.
Use the address, fax or E Mail shown at the
beginning of this Notice
Dr. Quack: Getting HIPAA to Fly
49
OUR NOTICE OF PRIVACY
PRACTICES


By law, we must abide by the terms of this
Notice of Privacy Practices until we choose to
change it.
We reserve the right to change this notice at
any time as allowed by law.
Dr. Quack: Getting HIPAA to Fly
50
OUR NOTICE OF PRIVACY
PRACTICES


If we change this Notice, the new privacy
practices will apply to your health information
that we already have as well as to such
information that we may generate in the
future.
If we change our Notice of Privacy Practices,
we will post the new notice in our office, have
copies available in our office, and post it on
our Web site.
Dr. Quack: Getting HIPAA to Fly
51
COMPLAINTS


If you think that we have not properly
respected the privacy of your health
information, you are free to complain to us or
the U.S. Department of Health and Human
Services, Office for Civil Rights.
We will not retaliate against you if you make
a complaint.
Dr. Quack: Getting HIPAA to Fly
52
COMPLAINTS



If you want to complain to us, send a written
complaint to the office contact person named
at the end of this Notice.
Use the address, fax or E Mail shown at the
beginning of this Notice.
If you prefer, you can discuss your complaint
in person or by phone.
Dr. Quack: Getting HIPAA to Fly
53
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
54
NOA (AOA) Manual Handout

NOA adaptations of AOA Manual






HIPAA job title on policies instead of name
Tables added (Job titles, etc.)
State law addressed
Index added
Formatted for letterhead
Underline replaces brackets
Dr. Quack: Getting HIPAA to Fly
55
Inserted Tables



(NOA unique)
Personnel names vs. job title
Job Titles vs. PHI
HIPAA Officers’ names
Dr. Quack: Getting HIPAA to Fly
56
Inserted Tables

(NOA unique)
Personnel names vs. job title


Every employee listed
For each employee


Check each job they perform
Enter date they completed HIPAA training
Dr. Quack: Getting HIPAA to Fly
57
Inserted Tables

(NOA unique)
Job Titles vs. PHI
 Every Job Title listed
 Using analysis forms provided
 Worksheet 6 or Dr. Quack Assessment
 Worksheet 24
 Check each type of PHI accessed
Dr. Quack: Getting HIPAA to Fly
58
Inserted Tables

(NOA unique)
HIPAA Officers’ names



List every person with HIPAA role
Check HIPAA role(s) they will perform
Enter date they completed HIPAA training
Dr. Quack: Getting HIPAA to Fly
59
HIPAA and Nebraska Law


Briefly describes Nebraska state law
section at the back of the manual
Inserted here to indicate that there has
been a section added
Dr. Quack: Getting HIPAA to Fly
60
Policy 3A: Affiliated Covered
Entities



2 or more entities (example:
corporations)
Connected ownership or control
Comply with HIPAA as a single unit
Dr. Quack
Dr. Quack: Getting HIPAA to Fly
61
Policy 3B: Health Care
Components




Affects hybrid entities (example: retail &
optometry)
Should designate portion of business as
“health care component”
Only health care component must
comply with HIPAA
Otherwise, entire entity must comply
with HIPAA
Dr. Merganser Duck
Dr. Quack: Getting HIPAA to Fly
62
Policy 5A: Privacy Officer



Qualifications
Duties
Who is appointed (refers to HIPAA
Personnel Roster)
Dr. Quack: Getting HIPAA to Fly
63
Policy 5B: Public Information
Officer



Qualifications
Duties
Who is appointed (refers to HIPAA
Personnel Roster)
Dr. Quack: Getting HIPAA to Fly
64
Worksheet 6 or Dr. Quack’s
Assessment

Gather Information on use of PHI in
your office


Complete one form for each job description
Keep on hand, proving you made the effort
Dr. Quack: Getting HIPAA to Fly
65
Worksheet 8: No authorization
needed for some use of PHI



Treatment
Payment
Heath Care Operations
Dr. Quack: Getting HIPAA to Fly
66
Policy 7A 8A 10A: No
Authorization Required for
Certain Disclosures of PHI





Treatment, Payment, Health Care Oper.
Business Associates
Use or Disclosure required by Law
Others mentioned in Notice of Privacy
Practices
(Also addressed in State Law Appendix)
Dr. Quack: Getting HIPAA to Fly
67
Policy 9A: Facility Directory

Directory policy applies to an entity
where a directory is kept of patients in
process of a procedure, et cetera.


9A: Describes what must take place if you
have a directory
9A No Directory: ODs who do not maintain
a directory need not comply with this
section.
Dr. Quack: Getting HIPAA to Fly
68
Policy 9B: Providing
Information to Family &
Friends


General policy explained
Oral agreement with patient okay
Dr. Quack: Getting HIPAA to Fly
69
Worksheet 10: Public Policy
Disclosures


For Policy 7A, 8A, 10A (previously reviewed)
See state law section for Dr. Quack’s
assessment
Dr. Quack: Getting HIPAA to Fly
70
Worksheet 11: Marketing &
Advertising



Read policy 11A.
Authorization not needed for marketing
described in item #4 or #7. (Covers
most marketing done by ODs)
Other marketing requires individual
authorization of each occurrence.
Dr. Quack: Getting HIPAA to Fly
71
Policy 11A: Marketing &
Advertising

Cannot release PHI to others w/o written
authorization




Pictures
Testimonials
Patient lists to marketers
Can “market” to individual patient



Services you provide
Materials you provide
Give promotional gifts of limited value
Dr. Quack: Getting HIPAA to Fly
72
Policy 11A: Marketing &
Advertising

Can market w/o use of PHI



General TV ads
Brochures to occupant
Read the policy carefully
Dr. Quack: Getting HIPAA to Fly
73
Policy 11A: Marketing &
Advertising

OCR Changes since AOA printing



CAN leave non-specific message on
answering machine (glasses are ready,
appointment tomorrow, due for exam)
CAN send postcard with appointment time
Unless patient requests otherwise
Dr. Quack: Getting HIPAA to Fly
74
Policy 12A: Disclosures for
Research

Need to read carefully if you


Participate in clinical trials
Conduct research
Dr. Quack: Getting HIPAA to Fly
75
Worksheet 13: Prepare PHI
Disclosure Authorization Form

Use as you feel necessary after reading
policies
Dr. Quack: Getting HIPAA to Fly
76
Policy 13A: PHI Disclosure
Authorization Form




Detailed description of what is to be
released
Specific purpose
Expiration date
New form for every disclosure
Dr. Quack: Getting HIPAA to Fly
77
Policy 13B: Personal
Representative for Patients

Addresses “standing in the shoes” of
the patient regarding PHI




Parents (and divorced parents)
Guardians
Emancipated minors (not in Nebraska?)
Deceased patients representatives
Dr. Quack: Getting HIPAA to Fly
78
Policy 13B: Personal
Representative for Patients

Policy refers to state law section





(p. 80)
(see items #29, #68, and #69 in parts II & III)
Not specific regarding state law
HIPAA does not appear to present new
problems
Dr. Quack cannot give legal advice
See your attorney with real questions
Dr. Quack: Getting HIPAA to Fly
79
Policy 14A: Prepare
Notice of Privacy Practices






Post in reception area (back of handout)
Keep stock in reception area
Distribute to every patient
Request patient to sign receipt (must try)
Receipt/denial kept in record (verify each visit)
Update next visit if policy changes
Dr. Quack: Getting HIPAA to Fly
80
Policy 14B: Actual
Notice of Privacy Practices

Reviewed earlier
Dr. Quack: Getting HIPAA to Fly
81
Policy 15A (& 16A): Defines
Designated Record Set



Contents of patient’s clinical chart
Contents of billing materials
Contents of treatment, orders,
laboratory information
Dr. Quack: Getting HIPAA to Fly
82
Policy 15B: Patient
Access to their own PHI


Nebraska Hospital Association’s evaluation of
Nebraska statute vs. HIPAA (p. 82)
 Reasons for denial: follow HIPAA standard
 Charges for copying:Nebraska statute
Dr. Quack’s evaluation:
 Time to respond: follow state law (30 days)
Dr. Quack: Getting HIPAA to Fly
83
Letters responding to Patient
Requesting Access to PHI

Letter 1: extension (legal in Nebraska?)



(toss??)
Letter 2: agree to access
Letter 3: denial of access
Dr. Quack: Getting HIPAA to Fly
84
Policy 16B:
Amendment of PHI


Patient can request to amend record
If Dr agrees,



Amendment added
New information forwarded to others with record
If Dr Disagrees and denies amendment,


Patient can submit letter of disagreement
Dr can attach denial letter & rebut in writing
Dr. Quack: Getting HIPAA to Fly
85
Letters responding to Patient
Requesting Amendment



Letter 1: decline to amend
Letter 2: agree to amend
Letter 3: delay in amending
Dr. Quack: Getting HIPAA to Fly
86
Policy 17A: Accounting for
Disclosures of PHI

Don’t need to account for disclosures






For treatment, payment, H. C. operations
To patient
To family, friends, or care givers
Authorized
Incidental
Marketing & advertising per exceptions
Dr. Quack: Getting HIPAA to Fly
87
Policy 17A: Accounting for
Disclosures of PHI


Do need to account for disclosures
violating policy 11A
If you did everything right there should
be nothing to disclose
Dr. Quack: Getting HIPAA to Fly
88
Letters responding to Patient
Requesting An Accounting of
Disclosures of PHI

Letter 1: delay of accounting
Dr. Quack: Getting HIPAA to Fly
89
Policy 18A:
Restrictions to Use of PHI

Must allow patient to request to restrict use
of PHI that would otherwise not be restricted
You do not have to agree to request
If you do agree you must abide by agreement
Can terminate in writing

May be better never to agree



Dr. Quack: Getting HIPAA to Fly
90
Policy 19A: Confidential
Communication Methods

Must have policy to allow patients to specify
special methods of communication with them.
Examples:






No answering machines
No post cards
Call at office only
Never call at office
Email only
Must comply with requests agreed to.
Dr. Quack: Getting HIPAA to Fly
91
Worksheet 20:
Business Associates


AOA’s Joanne Lax J.D. recommends the
following steps to determine who is a
business associate.
Step One: Identify all outside
companies with which you do business
Dr. Quack: Getting HIPAA to Fly
92
Worksheet 20:
Business Associates

Step Two: Flag companies that perform
health care services in your behalf (ie
those to which you have outsourced)




Billing service
Optical lab
Quality assurance
Staff training
Dr. Quack: Getting HIPAA to Fly
93
Worksheet 20:
Business Associates

Step Three: Also, flag the companies
that perform the following services




Legal
Accounting
Consulting
Management (office, building, software,
etc)
Dr. Quack: Getting HIPAA to Fly
94
Worksheet 20:
Business Associates

Step Four: Of the companies you have
flagged, flag again those companies that
need to generate, maintain, use, or disclose
PHI in order to do there job. Examples:





Billing agents
Software support that sees PHI
Collections agencies
Outside medical transcriptionist service
Companies with two flags are your business
associates
Dr. Quack: Getting HIPAA to Fly
95
Worksheet 20:
Business Associates

Business associates that need attention right
now fall into any of the following groups:



You do not currently have a written services
contract with them.
You have a written services contract with them,
but you entered into it after October 15, 2002.
You have a written services contract, but it will
expire or need to be renewed before April 14,
2003.
Dr. Quack: Getting HIPAA to Fly
96
Worksheet 20:Business Associates

Business associates that do not need
immediate action:

You have an contract that existed before October
15, 2002, that



You have to act on this latter group on the
earlier of:



Automatically renews, or
Will not expire or renewed before April 14, 2003.
The date that you will renew the contract, or
April 14, 2004.
Note these business associates on the
worksheet & complete the columns.
Dr. Quack: Getting HIPAA to Fly
97
Worksheet 20:
Business Associates

Negotiate a business associate contract
with each of your business associates,
except:


A business associate that only uses,
generates, maintains or discloses PHI for
treatment purposes.
OCR also excludes payers…
Dr. Quack: Getting HIPAA to Fly
98
Business Associate
Agreements



Policy 21A: BA agreement with AOA language
Policy 21A: BA agreement without AOA
language
Your Notice of Privacy Practices must be
supplied to BA
Dr. Quack: Getting HIPAA to Fly
99
BA Follow-up



Do not have to monitor BA for compliance
Do not have to train BA
If learn of non-compliance, must
 Mitigate where possible (per subsequent
policy)
 Insist BA comply or terminate contract
 If fails to comply, must find another vendor
Dr. Quack: Getting HIPAA to Fly
100
Worksheet 23:
You must safeguard PHI

Safeguards come in many forms. The
three general categories are:



Administrative (policies & procedures).
Physical (physical plant).
Technological (relating to electronics).
Dr. Quack: Getting HIPAA to Fly
101
Worksheet 23:
You must safeguard PHI

Examples of safeguards include:



Locks on records’ storage rooms or
cabinets (or monitoring).
Phones in confidential locations.
Closing doors.
Dr. Quack: Getting HIPAA to Fly
102
Worksheet 23:
You must safeguard PHI



Computer passwords,
Computer screen savers or screen shields.
Limited field access for electronic data.
Dr. Quack: Getting HIPAA to Fly
103
Worksheet 23:
You must safeguard PHI




Turning charts to face the wall in boxes
outside patients’ exam rooms.
Prohibiting calls to pharmacies or other
providers where they can be overheard.
Prohibiting staff from discussing clinical
issues with patients where they can be
overheard.
Shredding discarded PHI
Dr. Quack: Getting HIPAA to Fly
104
Worksheet 23:
You must safeguard PHI

This aspect of HIPAA requires





Unique, individualized solutions
Based upon your office layout,
Opportunities to easily make physical plant
changes,
Budget for physical & technological
gadgets,
Workable policies & procedures.
Dr. Quack: Getting HIPAA to Fly
105
Worksheet 23:
You must safeguard PHI


You are not required to go to extremes to
guarantee that no PHI will ever be
inadvertently disclosed.
“Incidental” disclosures – e.g. unavoidable
disclosures secondary to a permitted use or
disclosure – are permitted under HIPAA,


So long as you use reasonable safeguards
and
You observe minimum necessary rule.
Dr. Quack: Getting HIPAA to Fly
106
Worksheet 24:
Minimum Necessary PHI

Using worksheet 6 (or Quack assessment)
 Determine which job descriptions must
access what PHI
 Determine whether the minimum
necessary rule is currently being abided by
 Determine what changes should be made,
if any
Dr. Quack: Getting HIPAA to Fly
107
Policy 24A:
Minimum Necessary Uses


Complete the table titled “Access to PHI by Job
Category” found at the front of this manual
Modify records & procedure where practical so
that
 Information for a particular task is segregated,
 But clinical needs & operations are not
compromised in the process of segregation.
Dr. Quack: Getting HIPAA to Fly
108
Policy 24A:
Minimum Necessary Disclosures

For routine disclosures of PHI, determine the
minimum necessary amount of PHI needed to
respond.


Eye exam report to school (w/ authorization or
give to parent)
For non-routine disclosures of PHI, decide
how your PO will determine the minimum
amount of PHI necessary to respond.
Dr. Quack: Getting HIPAA to Fly
109
Policy 24A2:
Confidentiality Agreement



Referred to but not included in AOA Manual
Fabricated by Dr. Quack
All staff should sign a confidentiality
agreement stating their commitment to
accessing only the minimum amount of PHI
necessary to do their job
Dr. Quack: Getting HIPAA to Fly
110
Policy 25A: Verification Before
Disclosing PHI

You must check the identity & authority
of someone



Signing an authorization on behalf of a
patient or
Seeking PHI without an authorization,
if you don’t know this information
already.
Dr. Quack: Getting HIPAA to Fly
111
Policy 25A: Verification Before
Disclosing PHI

This should include obtaining copies of
applicable documents, such as





Guardianship papers,
Power of attorney for health care, or
Official badge.
You can rely on documents that appear valid.
You must resolve questions or problems
before you can accept the authorization or
disclose requested PHI.
Dr. Quack: Getting HIPAA to Fly
112
Policy 26A: You Must Mitigate
Harm from Improper Disclosure

The duty only applies if you "know" of the
harm. You do not have to actively monitor for
evidence of harm.
 You only have to mitigate harm if it is
"practical" for you to do so.
 You have full discretion to evaluate each
situation, & to take mitigation steps
appropriate to it.
Dr. Quack: Getting HIPAA to Fly
113
Policy 26A: You Must Mitigate
Harm from Improper Disclosure

Mitigation can be




As simple as an apology or correction.
An attempt to get back the PHI disclosed.
Obtaining a signed agreement from
receiver not to use or disclose improperly
released PHI.
It's up to you in each case.
Dr. Quack: Getting HIPAA to Fly
114
Policy 27A:
Complaints about Violations


Must have a written office policy to
 accept,
 thoroughly investigate, and
 resolve
complaints from patients who believe their
privacy has not been properly respected.
Dr. Quack: Getting HIPAA to Fly
115
Policy 28A:
De-Identification of PHI


Should you want to use PHI without
HIPAA restrictions…
None of HIPAA’s use & disclosure rules
apply to information stripped of all
identifiers.
Dr. Quack: Getting HIPAA to Fly
116
Policy 28A:
De-Identification of PHI

You can de-identify PHI in one of two
ways:


A statistical expert can give an opinion that
PHI has been de-identified; or
You can remove the specific identifiers
listed in HIPAA’s “safe harbor” method.
Dr. Quack: Getting HIPAA to Fly
117
Policy 29A & 29B:
Limited Data Sets


A limited data set is stripped of some
identifiers
You can then disclose PHI for
 research,
 public health, or
 health care operations
Dr. Quack: Getting HIPAA to Fly
118
Policy 29A & 29B:
Limited Data Sets

Examples of sharing for health care operations:
 Business planning for a health plan or provider.
 Sale or merger of a health plan, or
 Financial management of a health plan or
provider.
Dr. Quack: Getting HIPAA to Fly
119
Policy 29B: Limited Data Set:
Data Use Agreement






Similar to Business Associate Agreement
Describes recipient’s uses & disclosures
Requires recipient to use appropriate
safeguards
Requires recipient to tell you of wrongful use
or disclosure
Prohibits recipient from identifying or
contacting the patient
Requires recipient’s agents abide by same
conditions as the recipient
Dr. Quack: Getting HIPAA to Fly
120
Worksheet 30:
Train All Employees

Work force includes more people than
your payroll. Work force includes:




All W2 employees.
Students (all kinds).
Volunteers.
Any independent contractor working onsite & under your direct control that you
have not treated as a business associate.
(See chart 20.)
Dr. Quack: Getting HIPAA to Fly
121
Worksheet 30:
Train All Employees

Training can take any form. It can be:






Live lectures.
Purchased on-line training modules.
Review of policies/procedures.
Workbooks.
Any other method that you devise.
Training needs to be job specific
Dr. Quack: Getting HIPAA to Fly
122
Worksheet 31:
State Law vs. HIPAA

State law that relates to the privacy of PHI
but is not contrary to HIPAA


remain fully effective after HIPAA. You must
comply with both the state law & HIPAA.
A state law that relates to the privacy of PHI
& is contrary to HIPAA & “less stringent than”
HIPAA

HIPAA wipes out the state law, which is no longer
effective.
Dr. Quack: Getting HIPAA to Fly
123
Worksheet 31:
State Law vs. HIPAA

A state law that relates to the privacy of PHI
& is contrary to HIPAA, but is “more stringent
than” HIPAA.

All such laws remain in effect after HIPAA. You
must comply with the state law, not HIPAA.
Dr. Quack: Getting HIPAA to Fly
124
Dr. Quack’s
State Law Appendix


I: The concept of pre-emption
II: Nebr. Hospital Assoc. Review of Statutes


70 statutes & their relationship to HIPAA
Quack comments on effect on optometry

III: More detail on statutes effecting ODs

Subpoenas & HIPAA in Nebraska
Dr. Quack: Getting HIPAA to Fly
125
State Law:
Before & After HIPAA



It appears little state law is truly pre-empted
based on Hospital Association evaluation
State law is therefore unchanged & should
prove no greater problem that previously
Optometrists should read & review last two
sections of Quack appendix:



Detail on sections possibly related to optometry
Subpoenas (discovery)
Seek legal advice with additional questions
Dr. Quack: Getting HIPAA to Fly
126
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
127
OCR Guidelines

The HIPAA Privacy Rule


is not intended to impede these customary
& essential communications & practices &,
thus,
does not require that all risk of incidental
use or disclosure be eliminated to satisfy
its standards.
Dr. Quack: Getting HIPAA to Fly
128
OCR Guidelines

Privacy Rule permits certain incidental uses &
disclosures of PHI when the covered entity
uses
 reasonable safeguards
 minimum necessary policies & procedures
Dr. Quack: Getting HIPAA to Fly
129
Reasonable Safeguards


Speaking quietly when discussing a
patient’s condition with family members in
a waiting room or other public area;
Avoiding using patients’ names in public
hallways & elevators
Dr. Quack: Getting HIPAA to Fly
130
Reasonable Safeguards



Posting signs to remind employees to
protect patient confidentiality;
By supervising, isolating, or locking file
cabinets or records rooms;
By providing additional security, such as
passwords, on computers maintaining
personal information.
Dr. Quack: Getting HIPAA to Fly
131
More Safeguards


Ask waiting customers to stand a few feet
back from a counter used for patient
counseling.
Use of cubicles, dividers, shields, curtains,
or similar barriers where multiple patientstaff communications routinely occur
Dr. Quack: Getting HIPAA to Fly
132
Minimum Necessary Rule



Requires limit of access to PHI, based on
needs to perform job duties.
Unimpeded access to PHI, where not
necessary for the job at hand, is not
applying the minimum necessary standard.
Any incidental use or disclosure that results
from not applying the Minimum Necessary
Standard would be an unlawful.
Dr. Quack: Getting HIPAA to Fly
133
Minimum Necessary Rule

The minimum necessary standard does not
apply to disclosures, including oral
disclosures, among health care providers
for treatment purposes
Dr. Quack: Getting HIPAA to Fly
134
OCR Guidelines FAQs.......
confidential conversations


Q: Can health care providers engage in
confidential conversations with other
providers or with patients, even if there is
a possibility that they could be overheard?
A: Yes, when using reasonable safeguards.
Dr. Quack: Getting HIPAA to Fly
135
OCR Guidelines FAQs.......
confidential conversations


Free to engage in communications as
required for quick, effective, & high quality
health care.
Overheard communications in these
settings may be unavoidable & are allowed
as incidental disclosures.
Dr. Quack: Getting HIPAA to Fly
136
OCR Guidelines FAQs.......
confidential conversations

When using Reasonable Safeguards:
 Health care staff may orally coordinate
services at hospital nursing stations.
 Staff may discuss a patient’s condition over
the phone with the patient, a provider, or a
family member.
 A health care professional may discuss lab
test results with a patient or other provider
in a joint treatment area.
Dr. Quack: Getting HIPAA to Fly
137
OCR Guidelines FAQs.......
confidential conversations

HIPAA Privacy does not require




Private rooms.
Soundproofing of rooms.
Encryption of wireless or other emergency
medical radio communications
Encryption of telephone systems.
Dr. Quack: Getting HIPAA to Fly
138
OCR Guidelines FAQs.......
Mailings & phone calls

Q: May physician’s offices or pharmacists
leave messages at patient’s homes, either
on an answering machine or with a family
member, to remind them of appointments
or to inform them that a prescription is
ready? May providers continue to mail
appointment or prescription refill reminders
to patients’ homes?
Dr. Quack: Getting HIPAA to Fly
139
OCR Guidelines FAQs.......
Mailings & phone calls

A: Yes.
 Limit the PHI disclosed on the answering
machine.
 Consider leaving only name & number &
PHI necessary to confirm an appointment
 Or ask the individual to call back.
 May leave a message with a family
member or other person who answers the
phone when the patient is not home.
Dr. Quack: Getting HIPAA to Fly
140
OCR Guidelines FAQs.......
Confidential Conversation

Where a patient has requested confidential
communication, you must accommodate
that request, if reasonable. Examples,
 mailings in an envelope, not postcard.
 mail sent to a P.O. box, not to home
 receive calls at the office, not at home
Dr. Quack: Getting HIPAA to Fly
141
OCR Guidelines FAQs....... Signin sheet


Q: May physicians offices use patient signin sheets or call out the names of their
patients in their waiting rooms?
A: Yes. But the sign-in sheet may not
display medical information that is not
necessary for the purpose of signing in.
Dr. Quack: Getting HIPAA to Fly
142
OCR Guidelines FAQs.......
Charts on doors


Q: Are charts outside of exam rooms
prohibited
A: No. Using reasonable safeguards & the
minimum necessary rule, covered entities
must simply
 evaluate what measures make sense in
their environment
 tailor their practices & safeguards to
their particular circumstances.
Dr. Quack: Getting HIPAA to Fly
143
OCR Guidelines FAQs.......
Charts on doors


You May maintain patient charts outside of
exam rooms, displaying patient names on
the outside of patient charts…
Possible safeguards may include:
 Supervise area
 place patient charts facing the wall or
otherwise covered
Dr. Quack: Getting HIPAA to Fly
144
OCR Guidelines FAQs.......
Announcing names


You May: Announce patient names & other
information over a facility’s public
announcement system.
Possible safeguards may include:
 limiting the information disclosed over
the system, such as referring the
patients to a reception desk.
Dr. Quack: Getting HIPAA to Fly
145
OCR Guidelines FAQs.......
Overheard conversation


A provider may be overheard, in the
reception area, instructing staff to bill a
patient for a particular procedure
A health plan employee discussing a
patient’s health care claim on the phone
may be overheard by another employee
who is not authorized to handle patient
information.
Dr. Quack: Getting HIPAA to Fly
146
OCR Guidelines FAQs.......
Office re-design



Q: Are covered entities required to
restructure workflow systems, redesign office
space & upgrading computer systems to
comply with the HIPAA Privacy Rule’s?
A: The Department generally does not
consider facility redesigns as necessary to
meet the reasonableness standard for
minimum necessary uses.
Use reasonable safeguards and minimum
necessary rule listed earlier
Dr. Quack: Getting HIPAA to Fly
147
OCR Guidelines FAQs.......
Configuring records

When considering record configuration, take
into account your
 ability to configure their record systems to
allow access to only certain fields, &
 the practicality of organizing systems to
allow this capacity.
Dr. Quack: Getting HIPAA to Fly
148
OCR Guidelines FAQs.......
Configuring records


It may not be reasonable for a small, solo
practitioner using paper records to limit
one employee to only some fields and
other employees complete access to the
record.
In this case, appropriate training of
employees may be sufficient.
Dr. Quack: Getting HIPAA to Fly
149
OCR Guidelines FAQs.......
Configuring records

Alternatively, a hospital [or large clinic]
with an electronic patient record system
may reasonably implement such controls.
Dr. Quack: Getting HIPAA to Fly
150
OCR Guidelines FAQs.......
Business Associate

Examples of Business Associates.




A third party administrator that assists a
health plan with claims processing.
A CPA firm whose services involve access
to PHI.
An attorney whose services involve access
to PHI.
A consultant that performs utilization
reviews for a hospital.
Dr. Quack: Getting HIPAA to Fly
151
OCR Guidelines FAQs.......
Business Associate

Examples of Business Associates.


A health care clearinghouse that
translates a claim from non-standard to
standard format & forwards to a payer.
An independent medical
transcriptionist that provides
transcription services to a physician.
Dr. Quack: Getting HIPAA to Fly
152
OCR Guidelines FAQs.......
BA Agreement NOT needed


A physician is not required to have a business
associate contract with a laboratory as a
condition of disclosing PHI for the treatment
of an individual.
A hospital laboratory is not required to have a
business associate contract to disclose PHI to
a reference laboratory for treatment of the
individual.
Dr. Quack: Getting HIPAA to Fly
153
OCR Guidelines FAQs.......
BA Agreement NOT needed



When a health care provider discloses PHI
to a health plan for payment purposes, or
when the health care provider simply
accepts a discounted rate to participate in
the health plan’s network.
A provider that submits a claim to a health
plan & a health plan that assesses & pays
the claim are each acting on its own behalf
as a covered entity, & not as the “business
associate” of the other.
Dr. Quack: Getting HIPAA to Fly
154
OCR Guidelines FAQs.......
BA Agreement NOT needed



With persons or organizations whose functions
do not involve the use or disclosure of PHI
(e.g., janitorial service, copier maintenance,
electrician).
With a conduit for PHI, for example, the US
Postal Service, certain private couriers, & their
electronic equivalents.
When a financial institution processes
consumer-conducted financial transactions
Dr. Quack: Getting HIPAA to Fly
155
OCR Guidelines FAQs.......
Business Associate



Q: Is a software vendor a business
associate of a covered entity?
A: Maybe. The mere selling or providing of
software to a covered entity does not give
rise to a business associate relationship.
If the vendor has access to PHI of the
covered entity in order to provide its
service, the vendor would be a business
associate.
Dr. Quack: Getting HIPAA to Fly
156
OCR Guidelines FAQs....……..
No permission needed


Q: Can a patient have a friend or family
member pick up a prescription for her?
A: Yes. A pharmacist may use professional
judgment & experience with common practice
to make reasonable inferences of the
patient’s best interest in allowing a person,
other that the patient, to pick up a
prescription.
Dr. Quack: Getting HIPAA to Fly
157
OCR Guidelines FAQs....……..
No permission needed


Q: Does the HIPAA Privacy Rule permit a
covered entity or its collection agency to
communicate with parties other than the
patient (e.g., spouses or guardians)
regarding payment of a bill?
A: Yes. A covered entity or their business
associate (e.g., a collection agency), may
disclose PHI as necessary to obtain
payment for health care, & there is no
limit to whom such a disclosure may be
made.
Dr. Quack: Getting HIPAA to Fly
158
OCR Guidelines FAQs....……..
No permission needed

However, the Privacy Rule requires you



Place a reasonable limit the amount of
information disclosed,
Abide by any reasonable requests for
confidential communications
Honor any agreed-to restrictions on the
use or disclosure of PHI.
Dr. Quack: Getting HIPAA to Fly
159
OCR Guidelines FAQs....……..
No permission needed



Q: Does the HIPAA Privacy Rule prevent health
plans & providers from using debt collection
agencies?
A: The Privacy Rule permits use of debt
collection agencies through a business
associate arrangement.
Disclosures to collection agencies are governed
by provisions such as the business associate &
minimum necessary requirements.
Dr. Quack: Getting HIPAA to Fly
160
OCR Guidelines FAQs....……..
No permission needed


Q: Does the HIPAA Privacy Rule permit an
eye doctor to confirm a contact prescription
received by a mail-order contact company?
A: Yes. The disclosure of PHI by an eye
doctor to a distributor of contact lenses for
the purpose of confirming a contact lens
prescription is a treatment disclosure, & is
permitted under the Privacy Rule at 45 CFR
164.506.
Dr. Quack: Getting HIPAA to Fly
161
OCR Guidelines FAQs....……..
No permission needed

Q: Is a hospital permitted to contact
another hospital or health care facility,
such as a nursing home, to which a patient
will be transferred for continued care,
without the patient’s authorization?
Dr. Quack: Getting HIPAA to Fly
162
OCR Guidelines FAQs....……..
No permission needed

A: Yes. The HIPAA Privacy Rule permits
disclosure of PHI without authorization to
another health care provider for treatment or
payment purposes, as well as to another
covered entity for certain health care
operations of that entity.
Dr. Quack: Getting HIPAA to Fly
163
OCR Guidelines FAQs...
Marketing

Q: Can contractors (business associates)
use PHI to market to individuals for their
own business purposes?
Dr. Quack: Getting HIPAA to Fly
164
OCR Guidelines FAQs.......
Marketing


A: No. While covered entities may share
PHI with “business associates”, that PHI
must be used to perform or assist in the
performance of certain health care
operations on behalf of covered entities.
Thus, business associates, with limited
exceptions, cannot use PHI for their own
purposes.
Dr. Quack: Getting HIPAA to Fly
165
OCR Guidelines FAQs.......
Marketing

Alternative treatment


Communications about alternative
treatments are excluded from the definition
of marketing & do not require a prior
authorization.
Similarly, it is not marketing when a doctor
or pharmacy is paid by a pharmaceutical
company to recommend an alternative
medication to patients.
Dr. Quack: Getting HIPAA to Fly
166
OCR Guidelines FAQs.......
Marketing


The simple receipt of remuneration does
not transform a treatment communication
into a commercial promotion of a product
or service.
Furthermore, covered entities may use a
legitimate business associate to assist
them in making such permissible
communications.
Dr. Quack: Getting HIPAA to Fly
167
OCR Guidelines FAQs.......
Public Health


Q: May providers disclose PHI concerning
pre-employment physicals, drug tests, or
fitness-for-duty examinations to an
individual’s employer?
A: In very limited circumstances, providers
may disclose PHI to the individual’s employer
without authorization.
Dr. Quack: Getting HIPAA to Fly
168
OCR Guidelines FAQs.......
Public Health


1st, the service must be provided at the
employer’s request or as a member of the
employer’s workforce.
2nd, the service must relate to medical
surveillance of the workplace or to detect
or assess work-related illness or injury.
Dr. Quack: Getting HIPAA to Fly
169
OCR Guidelines FAQs.......
Public Health

3rd, the employer must have a duty under
OSHA or similar law to keep records on, or
act on, such information.
Dr. Quack: Getting HIPAA to Fly
170
OCR Guidelines FAQs.......
Workers’ Comp


HIPAA Privacy does not apply to workers’
compensation insurers, administrative
agencies, or employers.
These entities need access to the PHI of
individuals with work related injury or
illness to process or adjudicate claims, or
to coordinate care under workers’
compensation systems.
Dr. Quack: Getting HIPAA to Fly
171
OCR Guidelines FAQs.......
Workers’ Comp




The Privacy Rule permits disclosures of PHI
for workers’ compensation purposes,
sometimes requiring patient authorization,
other times not.
Nebraska Law 48-120(4) [Manual pg 84] “Records
relevant to the injury shall be made available
on demand to employer, employee, carrier,
and compensation court”
State law not pre-empted.
Follow both.
Dr. Quack: Getting HIPAA to Fly
172
OCR Guidelines FAQs.......
Workers’ Comp

HIPAA: Disclosures Without Individual
Authorization.
 To provide benefits for work-related injuries
or illness without regard to fault.
 Limited to what the law requires.
 For obtaining payment for any health care
provided to the injured or ill worker.
Dr. Quack: Getting HIPAA to Fly
173
OCR Guidelines FAQs.......
Workers’ Comp

HIPAA: Disclosures With Individual
Authorization.
 May disclose PHI when the individual has
provided authorization for the release of
PHI.
The Minimum Necessary Rule applies.
Dr. Quack: Getting HIPAA to Fly
174
OCR Guidelines FAQs.......
Oral Communication


Q: Does the HIPAA Privacy Rule require
that covered entities provide patients with
access to oral information?
A: No. The term “designated record set”
does not include oral information; rather, it
connotes information that has been
recorded in some manner.
Dr. Quack: Getting HIPAA to Fly
175
OCR Guidelines FAQs.......
Oral Communication


Q: Does the HIPAA Privacy Rule require
that covered entities document all oral
communications?
A: No. The Privacy Rule does not require
covered entities to document any
information, including oral information, that
is used or disclosed for treatment, payment
or health care operations
Dr. Quack: Getting HIPAA to Fly
176
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
177
Physical Changes


HIPAA does not require that you make
radical, expensive changes to your
office.
The following are some reasonable
alterations in office layout to assist in
complying with HIPAA
Dr. Quack: Getting HIPAA to Fly
178
Doors

Close doors when discussing PHI, e.g.,



History
Pre-examination
Examination
Dr. Quack: Getting HIPAA to Fly
179
Always speak quietly

Hearing impaired?



Speak slowly
Get closer
Take special care when speaking in
hallways and other common areas
Dr. Quack: Getting HIPAA to Fly
180
Mult-patient areas
(Check-in, Check-out, Dispensary)




Speak reasonably quietly
Use “PLEASE WAIT HERE” signs if
appropriate
Provide “PLEASE WAIT HERE” chairs if
appropriate
Incidental disclosure is acceptable
Dr. Quack: Getting HIPAA to Fly
181
Business Office Areas



Place HIPAA reminder signs at work
stations
Place HIPAA reminder signs on
computer monitors
Place HIPAA reminder signs on file
cabinets
Dr. Quack: Getting HIPAA to Fly
182
Computer Monitors





Rotate screen away from public
Put a plant next to monitor
Use Screen saver or “Minimize” screen
Place HIPAA reminder sign on monitor
Remember, patients can see their own
PHI!
Dr. Quack: Getting HIPAA to Fly
183
Patient Records


Keep records closed except when in use
When practical, divide each record into
sections, e.g.,




Demographics
Examination
Claims
Staff should use only that portion of
record needed for the task at hand
Dr. Quack: Getting HIPAA to Fly
184
Patient Record Storage



Post HIPAA reminder signs in record
storage areas
Reasonably monitor record storage
areas
Reasonably monitor records in hallways
Dr. Quack: Getting HIPAA to Fly
185
HIPAA Privacy





History & Background
Brief Review of Notice of Privacy
Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
186
THE END
Thank You!
Dr. Quack: Getting HIPAA to Fly
187