Myths about HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, establishes crucial privacy rules that prohibit healthcare providers and businesses, known as covered entities, from disclosing protected information without the patient’s consent. This information can only be shared with the patient and their authorized representatives. However, misunderstandings and myths about HIPAA often arise, leading to confusion. Have you ever found yourself in a conversation like the one below, puzzled by common misconceptions?
Sharon: I understand the need for guidelines and rules, but isn’t HIPAA quite limiting for healthcare professionals? How can you operate effectively if you can’t share information? And what about discussing a patient’s condition with their family members? Also, is it true that patients must sign a form before receiving healthcare services?
Healthcare Professional: It’s crucial for healthcare professionals to know, understand, and follow HIPAA rules, but some of your concerns are based on common misconceptions.
Myth #1: HIPAA Prevents Information Sharing Among Healthcare Professionals
Debunked: HIPAA does not prevent healthcare professionals from sharing information necessary for providing treatment, for payment, or for healthcare operations. While private information cannot be freely shared, healthcare providers are allowed to use it among colleagues and entities to enhance patient care.
Myth #2: HIPAA Prevents Discussing a Patient’s Condition with Family Members
Debunked: Healthcare providers can discuss a patient’s condition with family members or friends involved in the patient’s care or payment for care if:
- The patient consents to the sharing of information.
- The patient does not object when given the opportunity.
- The provider uses professional judgment to determine the patient does not object.
Myth #3: Patients Must Sign a Form Before Receiving Healthcare
Debunked: Patients are not required to sign a form before receiving healthcare. Healthcare providers must offer a Notice of Privacy Practices (NPP), outlining how Personal Health Information (PHI) will be used and protected. Patients have the right to ask questions about the NPP.
Sharon: Oh, I didn’t realize that. But what about healthcare providers discussing patient claims with insurance companies? Is that allowed?
Healthcare Professional: HIPAA aims to protect patient information while allowing necessary collaboration among patients, family members, healthcare providers, and insurance companies.
Myth #4: HIPAA Prevents Healthcare Providers from Communicating with Insurance Companies
Debunked: HIPAA allows healthcare providers to communicate with insurance companies for payment purposes, provided they share only the necessary information.
Sharon: I’m sure healthcare providers can’t share patient information with marketers and researchers.
Healthcare Professional: There are specific guidelines for sharing information with marketers and researchers.
Myth #5: HIPAA Prohibits Sharing Patient Information with Marketers
Debunked: HIPAA permits the use of patient information for marketing purposes only if the patient has consented. Providers may use newsletters or other marketing materials that include patient identities, provided patients have granted permission. However, selling patient information to external entities is strictly prohibited.
Myth #6: HIPAA Prevents Sharing Patient Information with Researchers
Debunked: HIPAA allows sharing patient information with researchers, given patient consent and a valid research protocol. Researchers must maintain the confidentiality of the information they receive.
Sharon: I received an email from my physician. I thought HIPAA prohibited doctors from emailing patients.
Healthcare Professional: This myth may stem from the fact that many doctors choose not to email patients for various reasons.
Myth #7: HIPAA Prohibits Doctors from Emailing Patients
Debunked: Medical practitioners are permitted to email patients and send copies of health records or disclose healthcare information via email. They must, however, implement safeguards such as encryption to secure the information. Errors in email addresses can lead to HIPAA violations if private information is sent to the wrong person.
Sharon: While at the doctor’s office, the nurse called me by name in the waiting room. I thought that wasn’t allowed.
Healthcare Professional: Some medical facilities use a number system for calling patients for privacy reasons, but there is more to it.
Myth #8: Calling Patients by Name in the Waiting Room Violates HIPAA
Debunked: Calling a patient by name in a waiting room does not violate HIPAA, as no health information is disclosed. However, mentioning a health condition or other health information is not permitted. Some facilities use numbers to avoid potential issues, especially those dealing with sensitive health issues.
Sharon: I heard healthcare workers can go to jail if they don’t shred documents properly.
Healthcare Professional: Improper record disposal violates HIPAA, and while there are consequences, jail time is not always the result.
Myth #9: Healthcare Workers Go to Jail for Not Shredding Documents Properly
Debunked: A healthcare entity found noncompliant with HIPAA has 30 days to make necessary changes or face penalties. After 30 days, financial fines can be imposed, reaching up to $50,000, especially in cases of willful neglect. Unintentional errors usually result in fines rather than jail time, emphasizing the importance of acknowledging and correcting mistakes.
Myth #10: Severe Penalties and Jail Time Are Common for HIPAA Violations
Debunked: Extensive penalties, up to $100,000 and 5 years in prison, are reserved for individuals and entities that intentionally violate HIPAA regulations. The key distinction is between criminal intent and neglect or lack of awareness.
Destroying Your Medical Records
HIPAA mandates retaining medical records for ten years from their creation or last use, whichever is later. Additional state-specific requirements may also apply. All PHI, whether in paper or electronic form, must be destroyed properly.
DataSafe complies with all HIPAA information destruction laws and state regulations. We provide locked shred collection containers for secure disposal of paper documents and can destroy hard drives and electronic media storage devices. Ensure your entity remains HIPAA compliant by calling us at 503-620-3423 or by completing the form on this page.
Get Your Quote
"*" indicates required fields