HIPAA Consult

January 6, 2006

Answers to your questions about... informing family; announcing medical leaves

Informing the family

A No, for two reasons. First, HIPAA applies only to "covered entities"-that is, most healthcare providers, payers, healthcare clearinghouses, and Medicare prescription drug card sponsors. (The discount card program ends this May.) Since you weren't acting as a physician in this instance but rather as a duly authorized family member, HIPAA doesn't apply. Second, HIPAA permits patients to access their own health information, with some exceptions (if, for instance, such access would cause harm to another person).

Announcing medical leaves

Q During a medical department meeting, I mentioned that a staff person whom I supervise was going on medical leave. This doctor subsequently filed a complaint against me for violating her confidentiality, even though I hadn't said anything about her medical condition or diagnosis. Was this, in fact, a HIPAA violation?

A No, because you were acting as an employer, and employers aren't considered covered entities under HIPAA. But announcing to staff that a colleague is going on medical leave isn't wise-and may even be considered a breach of employer confidentiality.

Implementing EDI

Q I'm about to start a new practice. My privacy manual is already in place, but I still need to develop my HIPAA claims and security protocols. What's involved in this process?

A Let's address claims protocols first. If you plan to file claims electronically, you're required to comply with HIPAA's electronic data interchange (EDI) standards, which dictate the format you must use for claims submissions and other electronic exchanges (remittances, patient eligibility checks, and so forth). The claims you submit will be HIPAA-compliant if you use a billing company. But if you handle your own claims submissions, it's worth your while to get a copy of CMS' claims submission software. It's available from your Medicare carrier, which offers the software free or for a nominal price.

Regarding security, HIPAA requires that you take reasonable steps to maintain the security of all electronic medical information. Generally, this means assessing potential risks within your practice and addressing them. For a primer on security issues, go to http://www.cms.hhs.gov/hipaa/hipaa2/education/default.asp, and click on one or more of the papers in the "HIPAA Security Educational Paper Series."