HIPAA compliance requires informing patients of privacy rights

Being able to exchange patient health information electronically with other providers will greatly benefit patients. But it also comes with legal obligations you need to be aware of.

The rules regarding privacy safeguards for patient health information are part of the Health Insurance Portability and Accountability Act (HIPAA). First passed in 1996, HIPAA has been updated to keep pace with changes in technology, especially the use of e-mail and other forms of electronic communication, and the widespread adoption of electronic health records.

Daniel Shay, JDThe most recent update occurred in 2013 with the adoption of an Omnibus Rule that supplemented HIPAA’s rules governing the privacy, security, and breach notification for patient health information. In terms of health information exchange, a crucial requirement for medical practices is ensuring that patients are aware of their privacy rights, says Daniel Shay, JD, a healthcare attorney with Alice G. Gosfield and Associates in Philadelphia, Pennsylvania.

The reason, Shay explains, is that although the HIPAA Omnibus Rule requires obtaining a patient’s consent for certain disclosures of health information, it makes exceptions for purposes of treatment, payment, and operations. But patients still must be made aware of their privacy rights, Shay says, a requirement practices must meet by distributing and/or posting a notice of privacy practices (NPP).

“Providers should have updated their NPPs after this most recent (Omnibus) rule was published,” says Shay. “In that (update) should be a statement that ‘we may disclose your information to other providers who are treating you,’ or similar language. As long as they provide that, they’ve basically met their requirement to inform patients about disclosures for treatment purposes.”

For purposes of exchanging health information, it’s not necessary to get the patient’s consent to all the provisions of the NPP, but only the acknowledgment that the patient has seen it, says Lisa Gallagher, BSEE, CISM, vice president for technology solutions for the Health Information Management Systems Society.

Next: HIPAA-compliant methods for exchanging information

“It (the NPP) is informing the patient that what the provider is doing is normal practice under the law to care for the patient adequately,” she says. “The patient doesn’t have to agree to it, they just have to see it, and the doctor can make a note that the patient was presented with it and proceed as usual.”

Of course, informing patients of their privacy rights does not relieve doctors of the obligation to use HIPAA-compliant methods to exchange

Lisa Gallagher, BSEE, CISMprotected health information (PHI), says Kenneth Rashbaum, principal with the law firm Rashbaum Associates LLC in New York, New York. “This has been a significant concern, because even though they’ve been advised to the contrary, a lot of physicians only use commercial e-mail, and that’s not a secure way to exchange patient information,” he says.

Much PHI exchange now takes place via private applications such as a cloud site or virtual private network. Rashbaum advises clients to get specific consent from patients when using those methods. “I often recommend that doctors get patient consent that their information may be sent over a secure third-party site to share with other caregivers participating in their treatment, or something along those lines,” he says. “The transparency is helpful.”

Kenneth Rashbaum, JDAnother consideration is how much of the patient’s medical history the receiving provider should get. The HIPAA Privacy Rule says providers must make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

The law allows providers some discretion in deciding what constitutes the “minimum necessary,” says Gallagher. Even so, “the sending provider should at least ask, ‘do I need to send the patient’s entire medical history? Or is there a portion I can send that will be sufficient for this purpose?’”