HIPAA Consult

August 4, 2006

Answers to your questions about...Storing patients' charts; Breaches by employees and others; Violations by business associates; Publicizing resolutions

Storing patients' charts

Q. Ever since switching to an EHR, my practice has maintained a paperless office. So it's especially inconvenient when patients who transfer to us send us their paper charts, which can be phone book size. Can I simply retrieve the lab and other pertinent information from these charts, record this information in our EHR, and send the charts themselves back to the initial treating physician or the patient herself? Or are we obligated to maintain and store them indefinitely?

Breaches by employees and others

Q. If someone in my practice commits a HIPAA violation, can the government hold me responsible, as well?

A. Yes, if the person who committed the violation is considered your "agent." Agents are people who perform work for you and whose work you control. People in your direct employ fit this definition, of course. But so do independent contractors, volunteers, and trainees.

Violations by business associates

Q. Can I be held responsible for a HIPAA violation committed by one of my business associates, like a CPA who isn't a member of my staff but with whom I share protected health information?

A. Generally, no, provided you've complied with the business associate provisions of the HIPAA privacy and security rules. These rules require that you have a business associate agreement with people like CPAs and that you take reasonable steps to fix any HIPAA breach committed by them that you become aware of. If you fail to take these steps, the government can hold you liable.

Publicizing resolutions

Q. When someone files a complaint against a physician and that complaint is resolved cooperatively, does HHS make the resolution public?

A. No. The government notifies the public only when a proposed penalty becomes final. Notification may take a variety of forms, including a posting on the Health and Human Services website and/or a dated notice in the Federal Register. Since the government closes cooperatively resolved complaints before issuing a final penalty decision, it doesn't make such complaints public.

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com
, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.