HIPAA Consult: Answers to your questions about. . .

Documenting conversations; reporting child abuse; HIV disclosures; marketing services or products; selling patient names to marketers


HIPAA Consult

Answers to your questions about . . .

Jump to:
Choose article section...Documenting conversations Reporting child abuse HIV disclosures Marketing services or products Selling patient names to marketers

By James D. Wall, JD

Documenting conversations

Q: Does the HIPAA privacy rule require that I document all oral communications with patients?

A: No. But the rule does require that you keep records of certain discussions. For example, if you tell a public health authority about a patient's communicable disease or a law-enforcement official about a suspected victim of a crime, you must maintain a written record of that conversation.

There are non-HIPAA-related reasons to document oral communications, as well. Let's say you've instructed a patient to take a particular medicine or to avoid a certain behavior. If the patient proves noncompliant, you'd be wise to have a record of that. Indeed, a paper trail that clearly supports your original advice would make any future defense against medical malpractice easier.

Reporting child abuse

Q:My state law requires healthcare providers to report suspected child abuse. Is this law pre-empted by the HIPAA privacy rule?

A: No. The rule permits doctors and other covered entities to disclose instances of suspected child abuse to public health authorities. So your state law is not pre-empted.

HIV disclosures

Q:My state law is more protective of HIV information than HIPAA is. Is it pre-empted by HIPAA?

A: No. Think of the HIPAA privacy rule as establishing a floor for protecting the privacy of individually identifiable health information. When a state law exceeds this baseline, you should follow the state law. You'll still be in compliance with HIPAA, which permits—but does not require—the disclosure of HIV information.

Marketing services or products

Q:I know that HIPAA prohibits covered entities from releasing protected health information for marketing purposes. But if I want to send letters to certain patients telling them about a new service, is that considered marketing?

A: No. The privacy rule specifically excludes from the definition of "marketing" any communications by a covered entity that describes that entity's products or services. So, for instance, an internist is permitted to notify his patients of a new weight loss or smoking cessation program.

Selling patient names to marketers

Q:How does the privacy rule protect my patients from people or companies that want to purchase lists of names and market products or services to them?

A: For one thing, doctors aren't permitted to provide patient lists to pharmaceutical companies for drug promotions without prior patient authorization. Similarly, hospitals are prohibited from providing companies with the names of expectant mothers without authorization. Before HIPAA, most states didn't prohibit these disclosures.

James D. Wall (Jwall@KilpatrickStockton.com) is a partner with Kilpatrick Stockton in Winston-Salem, NC. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. If you have a question, please submit it via e-mail to mehipaa@medec.com, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645. ATTN: HIPAA Consult. If we select your query, we'll address it in an upcoming issue. Your name will not be used.


James Wall. HIPAA Consult: Answers to your questions about. . .. Medical Economics Dec. 5, 2003;80:26.

Related Videos
Victor J. Dzau, MD, gives expert advice
Ron Holder, MHA, gives expert advice
remote patient monitoring
no shows
effective meetings
Solving problems
© 2023 MJH Life Sciences

All rights reserved.