Course 625 - HIPAA Privacy Training

1    2    3    Course Homepage     Final Exam      Contact Instructor     Website Homepage
Safety guides and audits to make your job as a safety professional easier

Your Personal Rights Under HIPAA

protected

Most of us believe our medical and other health information is private and should be protected. Most of us also want to know who has access to this private information. The Privacy Rule gives you rights over your health information and sets rules and limits on who can look at and receive your health information.

Protected Information

The following information is protected for each individual:

  • information your doctors, nurses, and other health care providers put in your medical record
  • conversations your doctor has about your care or treatment with nurses and others
  • information about you in your health insurer’s computer system
  • billing information about you at your clinic
  • most other health information about you held by those who must follow these laws

Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. They must also have procedures in place to limit who can view and access your health information, as well as implement training programs for employees about how to protect your health information.

Individual Rights

Under HIPAA, patients are entitled to more information about and more control over their individual health information.

  1. Access to Information – A person can request and receive a copy of their health information and may request that copy be in electronic form. The covered entity may charge a reasonable fee for providing the copy either in paper or electronic form.
  2. Amend information – A person may ask for their information to be amended to correct errors but covered entities are only responsible for making changes in the records that they created.
  3. Accounting of disclosures – An individual may request a list of all the times their information was released improperly.
  4. Notice of Privacy Practices – An individual has the right to receive a written notice of privacy practices from covered entities that details rights of the individual and duties of the covered entity under HIPAA.

Employers and Health Information in the Workplace

employer

The Privacy Rule controls how a health plan or covered health care provider discloses protected health information to an employer, including your manager or supervisor.

Employer Requests

The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.

If your employer asks for your health care provider directly for information about you, your provider cannot disclose the information without your authorization. Covered health care providers must also have your authorization to disclose this information to your employer, unless other laws require them to disclose it.

Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.

Employment Records

The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.

If you work for a health plan or covered health care provider:

  • The Privacy Rule does not apply to your employment records.
  • The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

Sharing Health Information

prescription
HIPAA allows healthcare providers to give prescription drugs to any person you send to pick them up.

Under HIPAA, your health care provider may share your personal information face-to-face, over the phone, or in writing. A health care provider or health plan may share relevant information if:

  • You give your provider or plan permission to share the information.
  • You are present and do not object to sharing the information.
  • You are not present, and the provider determines based on professional judgment that it’s in your best interest.

Examples

  • An emergency room doctor may discuss your treatment in front of your friend when you ask your friend to come into the treatment room.
  • Your hospital may discuss your bill with a family member or friend who is with you and has a question about the charges, if you do not object.
  • Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
  • Your nurse may not discuss your condition with a family member or friend if you tell her not to.
  • HIPAA also allows health care providers to give prescription drugs, medical supplies, x-rays, and other health care items to a family member, friend, or other person you send to pick them up.

A health care provider or health plan may also share relevant information if you are not around or cannot give permission when a health care provider or plan representative believes, based on professional judgment, that sharing the information is in your best interest.

For example, if you had emergency surgery and are still unconscious, your surgeon may tell your spouse about your condition, either in person or by phone, while you are unconscious.

Your doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage. However, a doctor may not tell your friend or family member about an unrelated past medical problem.

Communication & Patient Care

prescription
Providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care.

Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care.

Providing Information

If the patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. A health care provider also may share information with these persons if, using professional judgment, he or she decides the patient does not object. In either case, the health care provider may share or discuss only the information the person involved needs to know about the patient’s care or payment for care.

Examples

  • An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
  • A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
  • A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
  • A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
  • A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object. But, a nurse may NOT a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.

Incapacitated or Not Present Patient

incapacitated

If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines it is in the best interest of the patient.

When someone other than a friend or family member is involved, the health care provider must be reasonably sure the patient asked the person to be involved in his or her care or payment for care. Again, the health care provider may discuss only the information the person involved needs to know about the patient’s care or payment.

Examples

  • A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
  • A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
  • A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
  • A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.

However, a nurse may not tell a patient’s friend about a past medical problem unrelated to the patient’s current condition. Also, a health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.

Disclosing PHI to Law Enforcement

complaint

The HIPPA Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances including, but not limited to:

  • To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
  • To respond to a request for PHI about a victim of a crime, and the victim agrees.
  • To report PHI to law enforcement when required by law to do so.
  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.
For a complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the HHS FAQ Page for this topic.

How to File a Complaint

complaint

An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information in the course of reporting or complaining about a workplace safety or health issue, may file a complaint with OSHA within 30 days of the retaliation.

The complaint should be filed with the OSHA office responsible for enforcement activities in the geographical area where the employee resides or was employed. It also may be filed with any OSHA officer or employee.

For more information, contact your closest OSHA Regional Office.

Video

Instructions

Before beginning this quiz, we highly recommend you review the module material. This quiz is designed to allow you to self-check your comprehension of the module content, but only focuses on key concepts and ideas.

Read each question carefully. Select the best answer, even if more than one answer seems possible. When done, click on the "Get Quiz Answers" button. If you do not answer all the questions, you will receive an error message.

Good luck!

1. Under HIPAA, your health care provider may NOT share your information in which of the following ways?

2. When can your health care provider give personal health information to your employer?

3. If an employee believes he/she has been retaliated against for disclosing HIPAA-protected information, the worker can file a complaint with OSHA within _____ of the retaliation.

4. When can your health care provider or health plan share relevant information, if you are not around?

5. When can a nurse tell a patient’s friend about a past medical problem unrelated to the patient’s current condition?


Have a great day!

Important! You will receive an "error" message unless all questions are answered.