HIPAA privacy rule: Myths and facts

Expert responds to 13 persistent HIPAA myths

During testimony late last year before the Department of Health and Human Services’ (HHS) National Committee on Vital and Health Statistics’ Subcommittee on Privacy and Confidentiality, Janlori Goldman, director of the Health Privacy Project (HPP) in Washington, DC, presented 13 myths that persist about the Health Insurance Portability and Accountability Act’s (HIPAA) privacy regulation and facts addressing those myths. (For more information, go to the HPP web site: www.healthprivacy.org.)

1. Myth: One doctor’s office cannot send the medical records of a patient to another doctor’s office without the patient’s consent.

Fact: No consent is necessary for one doctor’s office to transfer a patient’s medical records to another doctor’s office for treatment purposes.

2. Myth: The HIPAA privacy regulation prohibits or discourages doctor/patient e-mails.

Fact: The privacy regulation allows providers to use alternative means of communication, such as e-mail, with appropriate safeguards.

3. Myth: A person cannot be listed in a hospital’s directory without his or her consent, and the hospital is prohibited from sharing a patient’s directory information with the public.

Fact: The privacy rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.

4. Myth: Members of the clergy no longer can find out whether members of their congregation or their religious affiliation are hospitalized unless they know the person by name.

Fact: The regulation specifically provides that hospitals may continue the practice of disclosing directory information "to members of the clergy," unless the patient has objected to such disclosure.

5. Myth: A hospital is prohibited from sharing information with a patient’s family without the patient’s express consent.

Fact: Under the privacy rule, a health care provider may "disclose to a family member, other relative, or close personal friend of the individual, or any other person identified by the individual," medical information directly relevant to such person’s involvement with patient’s care or payment related to patient’s care.

6. Myth: A person’s family members no longer can pick up prescriptions for a patient.

Fact: Under the regulation, a family member or other individual may act on a patient’s behalf to "pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."

7. Myth: The privacy regulation mandates all sorts of new disclosures of patient information.

Fact: HHS has said that disclosure is mandated in only two situations — to an individual patient upon request, or to the secretary of the HHS for use in oversight investigations.

8. Myth: The HIPAA privacy regulation imposes so many administrative requirements on covered entities that the costs of implementation are prohibitive.

Fact: Officials at the White House project a net saving of $12 billion to the health care system over 10 years as a result of implementation of the standards. The cost of implementing privacy over 10 years is estimated at $17 billion and savings from putting transaction standards in place are estimated at $29 billion over 10 years. Additional long-term savings are expected as patients develop more faith in the health care system and thus are less likely to withhold vital information from their doctors and will seek care more readily.

9. Myth: Patients can sue health providers for not complying with the HIPAA privacy regulation.

Fact: The regulation does not give people the right to sue. They must file a written complaint with the HHS Office for Civil Rights. Although the agency has authority to assess civil penalties, it has said that enforcement will be complaint-driven, and penalties will be imposed only for willful violations.

10. Myth: Patients’ medical records can no longer be used for marketing.

Fact: Use or disclosure of medical information is explicitly permitted for certain health-related marketing activities under the regulation.

11. Myth: If a patient refuses to sign an acknowledgement of receipt of a health care provider’s notice of privacy practices, the provider can, or must, refuse to provide services.

Fact: The regulation grants patients a "right to notice" of privacy practices for protected health information, and requires that providers make a "good-faith effort" to get patients to acknowledge that they have received the notice. But the law does not give providers either the right or the obligation to refuse to treat people who do not sign the acknowledgement, nor does it subject the provider to liability if a good-faith effort is made.

12. Myth: The regulation imposes many new restrictions on hospital fundraising efforts, making it almost impossible.

Fact: According to the rule, a hospital may use, or disclose to its "business associate" or an institutionally related foundation, demographic information, and the dates of health care provided to an individual "for the purpose of raising funds for its own benefit, without an authorization" from the patient. Such use or disclosure is not permitted unless disclosed in the notice of privacy practices.

13. Myth: The press no longer can access vital public information from hospitals about accidents or crime victims.

Fact: HIPAA allows hospitals to continue to make public, including to the news media, certain patient directory information, including the patient’s location in the facility and condition in general terms, unless the patient has specifically opted out of having such information publicly available.