Here are six myths about HIPAA that your medical practice may believe, but are actually false.
HIPAA was named for Hipaatotep, ancient god of secrecy. Naah, not really, that’s just a myth. The Health Insurance Portability and Accountability Act, or HIPAA, was enacted 12 years ago by Congress, partly to address the security and privacy of health data. Since then, myths have abounded. We’ve debunked some common ones for you:
1. MYTH: Sign-in sheets in medical offices are a no-no.
REALITY: The law does not prohibit the use of sign-in sheets. The goal is to ensure that physicians take appropriate measures to protect their patients’ privacy. For sign-in sheets and other incidental disclosure of patient names, the law states that it “is not intended to impede these customary and essential communications and practices.” However, you are expected to exercise reasonable safeguards, such as requiring as little personal information on the sign-in sheet as necessary.
2. MYTH: You may no longer say a patient’s name aloud in the waiting room.
REALITY: Well, that would make it awfully hard to call anyone back for their exam: “Hey you, the doctor will see you now” doesn’t really cut it, does it? As with the sign-in sheet issue, this is an exaggeration of what would normally be considered a reasonable safeguard. Calling patients back for an exam by name is fine. Just don’t be a blabbermouth about it: “Mrs. Spellman, the doctor can drain your carbuncle now.” Is that really necessary? Speak quietly when discussing a patient with family members in the waiting room and avoid using patient names in public hallways and elevators.
3. MYTH: Your patients can sue you for not complying with HIPAA.
REALITY: Even if a patient is the victim of a major violation of the HIPAA Privacy Rule, he still can’t sue you for it. He can file a written complaint with the Office for Civil Rights at the Department of Health and Human Services. That office may choose to investigate complaints and impose fines, although monetary penalties are seldom, if ever, levied. However, HHS does expect you to voluntarily bring yourself into compliance in the event of a complaint.
4. MYTH: If a patient refuses to sign an acknowledgement form, you can’t treat that patient.
REALITY: Refusing to sign your Acknowledgement of Privacy Practices form won’t preclude that person from being your patient. You are only required to make a “good faith effort” to secure her signature; otherwise, it’s business as usual. Note that this cuts both ways: You’re not subject to liability if a patient doesn’t sign. But you can’t use that refusal as a reason to stop providing services (which could be a bummer if you’re looking for an out).
5. MYTH: Your patient’s prescriptions can only be picked up by the patient.
REALITY: Actually, a family member or friend can pick up your patient’s prescription at the local drug store without fear of arrest or other reprisal. Very often, doing so is in the patient’s best interest - and the public’s. A pharmacy itself may have a policy prohibiting third-party prescription pick-up, but that’s the pharmacy being uptight - it has nothing to do with HIPAA.
6. MYTH: Patients can get free copies of their medical records from you.
REALITY: Nope, not true. A patient certainly has the right to request a copy of his medical record from you, but the enactment of HIPAA did not make him the owner of the record; that’s still you. You have 30 days to comply with such a request and you can also require that the patient cover the cost of copying and mailing the records.
For more information, visit HHS’s Office for Civil Rights - HIPAA Web site.
Abigail Beckel is managing editor for Physicians Practice.
Shirley Grace is associate editor for Physicians Practice.
This article originally appeared in the January 2009 issue of Physicians Practice.