Patient Privacy Legislation and HIPAA

Back To Search

Patient Privacy Legislation and HIPAA

Business of Medicine
Author Credentials 

Paul C. Frake, MD
Park Nicollet Health Services
Minneapolis, MN

Module Summary

Patient privacy and security of protected health information (PHI) are governed by federal and state law. The Health Insurance Portability and Accountability Act of 1996 codified United States federal provisions regarding the handling and protecting of patient information. A detailed understanding of the specifics of these laws is critical to maintaining compliance and ensuring preservation of the privacy rights of patients’. PHI includes anything which may be used to identify a patient (name, date of birth, medical record number, identifying images, and many more). Covered entities (CE) include health care groups, hospitals, and doctors. There are exceptions to HIPAA that must be known to call CEs. Additionally, all CEs should have a detailed HIPAA compliance plan, including annual training, periodic self-auditing, and protocols for handling/reporting breaches, incorporated into their internal policies.

Module Learning Objectives 
  • Demonstrate commitment to ensuring the privacy and security of medical records.
    • Explain the difference between privacy and security
    • Explain the concept of doctor-patient confidentiality
  • Discuss issues related to the electronic processing of medical information.
  • Identify the implications of the Health Insurance Portability and Accountability Act (HIPAA) regulations
    • Identify the three main rules within HIPAA, and explain the purpose of each
    • Define “protected health information” or “PHI”
    • Identify who must comply with HIPAA and what a “Covered Entity” is.
    • Explain what a “business associate” (BA) is, and what implications this has for the physician with respect to patient privacy

Review

Review Questions 
  1. You hire a web design company to create a website for your practice. With respect to HIPAA, is this company considered a “business associate” (BA) if they are designing the graphics and text on the website? What if they are creating a patient communication portal through the website and need to audit communications to ensure the portal is functioning properly?
  2. A patient emails you from their personal email account. Based on HIPAA rules, can you email a reply to the patient from your work or personal account? What is the privacy purpose of a secure patient portal?
  3. You take a photo of your patient (related to patient care) in the operating room. If this is simply printed and placed in the patient chart, is it a violation of HIPAA?  What if you post this photo of your interesting case to your practice website or social media?   
  4. The day after you treated an elderly man in your practice, you receive a phone call from the patient’s daughter. The daughter would like to know what you discussed at the visit so she can help care for her father. She was not present at the appointment. Are you allowed to discuss the patient’s care with her?  What steps could you take to protect your patient’s privacy, but also obtain the ability to discuss the clinical care with the family? Would you have to take these steps if the daughter was present in the room during the original office visit?
References 
  1. U.S. Department of Health & Human Services, HIPAA for Professionals. Retrieved January 16, 2018. 
  2. U.S. Department of Health & Human Services, Guide to Privacy and Security of Electronic Health Information, Chapter 2: “Your Practice and the HIPAA Rules.”  Retrieved January 16, 2018. 
  3. Annas GJ. HIPAA regulations - a new era of medical-record privacy? N Engl J Med 2003;348(15):1486-90.
  4. Jobes KE, White ER, Antonelli PJ. Privacy and security of medical information. Otolaryngol Clin North Am 2002;35(6):1203-1209.
  5. Gostin LO. National health information privacy: regulations under the Health Insurance Portability and Accountability Act. JAMA 2001;285(23):3015-21.
  6. American College of Surgeons: ACS Practice Management Online Course.
  7. American Medical Association: HIPAA Privacy and Security Resources.
Resources 

Learner must Sign In or Create account to access AAO-HNSF education activities.

  1. Annual Meeting Expert Series: