Take the HIPAA Quiz. Are These Violations? (Part II)
With confusion surrounding some of the HIPAA Rules, this short quiz may help you understand some finer points. If you missed last week’s quiz, click here for Part I. Then take this week’s quiz to see how you fare.
Q. While at a neighborhood cookout, a receptionist at a health care practice mentions to a friend that she saw a mutual friend at the office last week. Is this a violation of HIPAA?
A. Yes. Health care providers must avoid accidental disclosures through routine conversation. A doctor, nurse, or technician may violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the clinic last week. That statement discloses that the individual is a patient who sought care, and both of those facts are protected health information under HIPAA.
Q. A hospital sends out a mailing to former patients informing them about a cardiac facility that can provide a baseline EKG for $39 when the communication is not for the purpose of providing treatment advice. Is this a violation of HIPAA?
A. Yes. Marketing communications require prior authorization from the patient.
Q. An employer notices from health care insurance records that an employee’s wife just gave birth to a healthy baby boy, and the employer congratulates the employee when he sees him having lunch in the cafeteria with co-workers. Is this a violation of HIPAA?
A. Yes. HIPPA protects individual’s personal health information under the Privacy Rule, and any information obtained about an individual that originates from a health care plan is protected information. If the employer learned about the birth from the employee himself or from a relative or friend, the information would not be protected under HIPAA, but if it was obtained through the health plan, then the information is protected health information, and cannot be disclosed.
Q. A patient learns that her medical practice has forwarded her medical information to a collection agency. Is this a HIPAA violation?
A. No. The Department of Health and Human Services (HHS) says debt collection is a payment activity under HIPAA, and health care providers may enter into a business associate agreement with a collector. Consent is not required to disclose information from medical files if it is made in connection with payment.
Q. An oncology practice requires all patients to sign in when they arrive at the office. Is this a violation of HIPAA?
A. Yes. Practices are allowed to use sign-in sheets with two exceptions: they cannot ask for more than a name, and if the nature of the practice is such that a third party can learn something about the patient by viewing a sign-in sheet, one cannot be used. In this instance, since the practice in an oncology practice, sign-in sheets would reveal that the person signing in has cancer.
Q. An elderly patient is always accompanied by her daughter to her doctor’s appointments. After the mother is prescribed a new medication, she develops a rash, which the daughter believes may be related to the new prescription. The daughter calls the office to discuss this with the staff. Is it a violation of HIPAA for the staff to discuss the mother’s medical condition with the daughter?
A. No. The practice can provide the daughter with information about how to handle this situation because HIPAA allows information to be shared with individuals involved in the patient’s care. In this case, because of the daughter’s knowledge of the patient’s visits, drugs prescribed, and current status, the practice can reasonably assume she is involved in the patient’s care.
Q. A patient states that he travels frequently and often loses the reminders that are sent out six weeks in advance of a scheduled appointment, and he requests that he be notified by Federal Express exactly 48 hours before his appointment. The office refuses to comply with this request. Is this a violation of HIPAA?
A. No. Although HIPAA’s right to confidential communications allows patients to receive communications from the practice in alternative forms or by alternative means or locations (e.g., a different address or telephone number), the request must be reasonable.
How well did you do?
TCS provides training on HIPAA/HITECH. For more information about these and all our courses, click on www.tcs-inc.us.
