|
Q: Must a health care provider (clinician) obtain written consent for treatment?
All patients should receive a Notice of Privacy Practices. After that, disclosures for the purpose of treatment do not require a written consent.
Q: When referring a patient from one's own facility to a community provider, may the clinician call or write a letter to the receiving facility?
Yes. If the correspondence between health care providers is for the purpose of treatment, the two providers may correspond by phone, letter, or FAX without fear of violating HIPAA (including sharing identifying information). If the correspondence is by FAX, the sender should take special precautions by alerting the recipient that the FAX is about to be sent and verify the FAX was received.
Q: Is it permissible to e-mail a diagnostic report for treatment or consultation?
Correspondence by e-mail is permitted, but special security rules apply. Under HIPAA's Security Standards (effective in April 2005), the covered entity is required to maintain the integrity and security of its electronic media (164.314[e]). Furthermore, if the Internet or dial-up lines are used, HIPAA encourages (but does not require) entities to use encryption. Finally, to further guard against unauthorized access to PHI transmitted by e-mail, do not type the patient's name in the "subject line," because this might allow someone to trace the e-mail. Unless encryption is used, the best practice is to remove all individual identifiers from the e-mail.
Q: May a clinician consult with an expert about a patient's care?
Consultation is permitted, but it is important to observe the "minimum necessary" rule. The level of precaution you take should be proportionate to the degree of perceived risk either that you will violate the terms of the Notice of Privacy Practices that the patient has agreed to, or that a third party might use or disclose the PHI inappropriately.
Q: Does HIPAA permit a clinician to photograph or videotape a patient for teaching purposes?
The "health care operations" provision of HIPAA includes "training and teaching." However, photos and videotapes should be de-identified (164.514[b][2][Q]) or consent obtained from the patient or patient's representative. State law, JCAHO and/or institutional policy should be followed without exception when the clinician intends to use photographs or videotapes for diagnostic, treatment, quality assurance, educational, or marketing purposes-normally, respect for the patient will require explicit and specific consent for any of these purposes.
Q: Do clinicians need an authorization (consent) from a patient to disclose PHI for treatment, payment, or health care operations, and should the clinician list this disclosure on the covered entity's accounting of disclosures?
Neither a written consent nor an accounting are required when a health provider discloses PHI for treatment, payment, or health care operations (see Table for details).
Q: Do clinicians need an authorization (consent) from a patient to disclose PHI when reporting vital statistics as authorized by law?
Clinicians are not required to obtain consent for public health or related purposes (e.g., mandatory reporting of vital statistics, national security, or suspected abuse), but the covered entity is required to document this disclosure of information on the covered entity's accounting for disclosures (45 CFR 164.508; 45 CFR 164.528; see Table on page 23 for details).
(Reprinted with permission. Portions of this sidebar were originally prepared for:
Horner, J. & Wheeler, M. [2003, Fall]. HIPAA and Protected Health Information (PHI). Academy of Neurologic Communication Disorders and Sciences Newsletter, I[2], 10-11).
|