HIPAA Consult

September 2, 2005

Answers to your questions about...exchanging information with family members; restricting access to protected data; exceptions to the "personal rep" rule.

Exchanging information with family members

Q. As FPs, we often gain valuable information from patients' family members who call to alert us to early signs of dementia, substance abuse, or other kinds of behavioral problems. How should we respond to such calls in a HIPAA-compliant manner?

Q. My hospital now permits us to review medical records electronically at home. The problem is my son and wife also use my computer on occasion. Is this a HIPAA violation?

A. Not directly. There's nothing in HIPAA that absolutely prohibits your wife or son from using the home computer that you use to review medical records. But, under the law, you must restrict their access to any protected patient information stored in that computer. Specifically, according to HIPAA's workstation security standard, you must "implement physical safeguards for all workstations that access [medical] information." For example, if you need a unique ID and password to log into your hospital system from your home computer, take steps to ensure that no one else gets hold of them.

Exceptions to the "personal rep" rule

Q. I have reason to believe that the personal representative of one of my elderly patients may not have her best interests at heart. Under these circumstances, does HIPAA make any exceptions for how I must treat this representative?

A. Yes. Generally, you can't refuse a patient's personal representative access to restricted information, but you can if you reasonably believe that he or she may be subjecting your patient to violence, abuse, or neglect. You can also deny access if, in your professional judgment, it isn't in the best interests of your patient if you treat the person in question as her personal representative-because, for instance, you believe the person is a potential thief. But, in such circumstances, be prepared to defend your decision in the event that it's challenged.

Margaret M. Davino:mdavino@kbrny.comis a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to: mehipaa@advanstar.com or by regular mail to: Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.