You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
There are many HIPAA myths circulating on the Internet that are believed by healthcare professionals as a result of the misinterpretation of HIPAA rules. According to these myths, there are erroneous beliefs regarding the restrictiveness of HIPAA, and such beliefs have gained strength over time.
Many believe that HIPAA, with its excessive restrictiveness, prevents healthcare professionals from freely performing their work. And, at the same time, it stops patients from exercising their legitimate rights.
Believing any of the HIPAA myths may cause you to violate the rules set forth by HIPPA and end up on the Wall of Shame. You don't need to know every detail of this law to do your job freely without violating privacy rules. But you need to know enough! You must be aware of what you need to know and what not to believe.
In this article, we want to take a closer look at the most common HIPAA myths. Then we'll explain them and debunk the truth by following the law and basing it on facts.
This is not true. Let’s first clarify when and to whom HIPAA applies.
Entities covered by HIPAA are:
Health care providers ( doctors, clinics, hospitals, pharmacies).
Health plans (insurance companies, government programs such as Medicare)
Health care clearinghouses (billing services and community health systems for organizing health data)
HIPAA covers only health information that is received, stored, maintained, or transmitted by an entity covered by HIPAA.
Any such information collected by other health apps, fitness trackers, and other such devices is not covered by HIPAA. The only exception is if such a device has been provided to you by your doctor or healthcare provider.
FACT: HIPAA covers all health information that can be handled, stored, transmitted, breached. Regardless of their nature! It is important to make sure that all medical records are handled properly and shared appropriately with the data owner, whether they are shared electronically or copied and faxed.
This means that the existence of paper records does not relieve you of your obligation to comply with HIPAA privacy regulations. Moreover, in this age of digitization, almost all practice records are now captured and stored electronically. So riding around on paper files won’t help your business grow, nor will it relieve you of HIPAA compliance obligations.
FACT: Under HIPAA, healthcare providers are not allowed to disclose personal health information to employers without the patient’s consent.
Healthcare providers may only disclose a patient’s protected health information (PHI) to other employees who need the information to provide treatment, payment, or healthcare operations. This is known as the “minimum necessary” standard.
Consider this example: a doctor may share a patient’s PHI with a nurse who is providing care to the patient, or a billing department may need access to PHI to process insurance claims. However, healthcare providers should still take appropriate steps to protect the confidentiality of PHI, such as limiting access to PHI to only those employees who need it for their job duties and implementing physical, technical, and administrative safeguards to protect PHI. However, data is collected as part of staff surveys, is considered separately collected data and is not covered under HIPAA.
FACT: HIPAA does not prohibit sharing patient information with family members. Information can be shared with friends and family members if the patient is present and does not object. Also, if the provider considers sharing the information is in the best interest of the patient, they may disclose information. Otherwise, if the patient clearly refuses the information to be shared with his family or with any specific person, then his wishes must be respected!
Without the patient’s presence, information can only be shared with the patient’s family if he/she is incapacitated and healthcare professionals have judged that the patient would not object to sharing their information with family, friends, or close relatives. Family members may obtain a copy of the patient’s health record only with written consent from the patient, as you can see in 45 CFR 164.524(c)(3)(ii).
First of all, let’s define the term “medical or health information record”. Medical record means any collection or grouping of information related to a patient’s health that is collected, used, maintained, or disseminated by or for a covered health care entity.
FACT: It is true that at the patient’s request, health organizations are obliged to provide a copy of their health information record. But there is information that may not be given if it is believed that the disclosure of such information may harm the patient.
The two categories that are excluded from the right of access:
Psychotherapy notes, personal notes of the mental health care provider, kept separate from other medical records. These are notes used to analyze and document the entire content of the patient session.
Any information required for use in civil, criminal or administrative proceedings.
FACT: The HIPAA Privacy Rule allows medical records to be sent to other doctors without the patient’s consent. This does not only apply when someone is in the position of outgoing Doctor. Physicians have the right to disclose patient information without their consent for purposes of treatment, payment, and health care operations too.
FACT: Not true. Text messages, like email, are considered forms of electronic communication under HIPAA and must comply with the HIPAA Privacy Rules.
If your healthcare organization sends text messages that contain unencrypted private health information, then it must:
To warn patients about the risks of using unencrypted text messages for health purposes
To obtain consent from patients to communicate through unencrypted messages
To document patient consent and organizational compliance
This is one of the most common falsehoods circulating on internet forums. There is no HIPAA violation if a patient is called by name in a waiting room because no health information is given. But there is a violation if, in parallel with that, his health condition or the intervention that the patient should do is also stated.
It is logical to think that breaking the law will result in a lawsuit. But let’s look further, why this is a complete lie.
FACT: You as a patient cannot sue health care providers, even if HIPAA rules are violated. But in that case, you have the right to a written complaint. After a complaint is filed, the Secretary of Health and Human Services investigates the complaint (if there are provided reasonable grounds for doing so), and may do so at his/her discretion.
If there is a violation, the best-case scenario is monetary and civil penalties for the HIPAA violator.
In conclusion, understanding HIPAA regulations is crucial for protecting patient privacy and data security in the healthcare industry. By revealing and explaining these 9 common HIPAA myths, we hope to have provided clarity and guidance on what is and isn’t allowed under HIPAA. Remember to always seek professional advice from experts, and take appropriate steps to safeguard protected health information.
Andreas Springer _Actonic_
Head of Marketing
2 accepted answers