Leon Rodriguez: Hi, I am Leon Rodriguez, Director of the Office for Civil Rights at the US Department of Health and Human Services. Today, I would like to welcome you to this program titled Patient Privacy: A Guide for Providers. Joining me today is Dr Michelle Johnson, a practicing obstetrician/gynecologist at Calvert OB/GYN Associates of Southern Maryland. Welcome, Michelle.

Michelle Johnson, MD: Thank you, Leon, for having me here today. Currently, I am in practice in Calvert Memorial Hospital, which is a small area outside of Washington, DC. The area takes care of 80,000 people. We are the sole providers for obstetrical care in that region in southern Maryland. My practice includes 5 practicing obstetricians as well as a nurse practitioner. Thank you again for having me today.

Mr Rodriguez: Great to have you here today.

Dr Johnson: Thank you.

Mr Rodriguez: The goals of this program are to describe the rights of patients provided by the HIPAA privacy rule and to provide doctors and other providers with strategies to build and maintain a culture of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Let’s talk for a moment about who is covered under the HIPAA privacy rule, which is one of 2 major rules under HIPAA. We also have the security rule. The privacy rule became effective on April 14, 2003, for all but small health plans, and they were added in 2004. Covered under HIPAA are a variety of different individuals and entities. We call them covered entities, and those include doctors, clinics, hospitals, dentists, nursing homes, and pharmacies that transmit data electronically. It also includes health plans, insurance plans, and healthcare clearing houses.

As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was passed in 2009, HIPAA has also been expanded to include business associates. Business associates are those persons or organizations that function on behalf of a covered entity, such as a doctor, and who either use or receive identifiable health information.

Let me explain that term identifiable for a moment. Identifiable means that the health information can be connected to the individual, to the patient. We actually have guidelines that establish a set of 18 identifiers, such as a name, a date of birth, or an address, and you can find those on our Website, HHS.gov/ocr.

Let’s talk about how HIPAA applies to your patients. The HIPAA privacy rule grants your patients specific rights, and we will discuss today how these rights are protected and how you, the healthcare provider, can best align your policies and practices to best help your patients. One of the rights that is guaranteed under HIPAA is the right of access, and this is interesting because very often HIPAA is understood as the right of privacy and security, which it is, but it is also really the right of the patient to control what happens with their medical record. One of the most important things is access. As a result, patients have the right to see and obtain a copy of their medical record, generally within 30 days of the request. Certain parts of the record might not be available, such as psychotherapy notes. Where records are maintained electronically, patients also have a right to request electronic access to their health record.

Michelle, I know this is something for which your practice has specific procedures. I would ask you to please describe them.

Dr Johnson: Yes, we do, Leon. What we find that works best for us is having the patient fill out a medical records release form. We will copy and provide access to them for all of their records on Fridays. We feel like if we have this written down in our policies and procedure manual, the patients know directly when they will be able to get their record, so if the patient fills out her request for release, by Friday it will be ready for them to pick up to take wherever they need.

Mr Rodriguez: That is great, so that means you complete the request well within 30 days.

Dr Johnson: Well within the 30 days. We want to give ourself any room for leeway. Let us say a part of the file went to another doctor’s office or something. We need to make sure we have all of the patient’s records in one place, and copied, and available to them.

Mr Rodriguez: I understand that your practice, like most practices, charges patients for the records and that you observe certain standards in doing that. Can you talk to us a little bit about that?

Dr Johnson: Yes, we do, Leon. We typically will use the MedChi (Maryland State Medical Society) guidelines.

Mr Rodriguez: Great.I want to tell you a little bit about the kinds of complaints that we see at the Office of Civil Rights. Sometimes we have had complaints about providers withholding access to their patients because of nonpayment. You should understand that nonpayment of the bill is not a basis to withhold the medical record from the patient. Sometimes we also receive complaints because of confusion regarding access to the records of another provider who may have given you those records. Again, whatever is in the chart; I think you might have some experience with that.

Dr Johnson: Yes, Leon, and I think that is very important, especially when you are seeing a new patient. That patient may come to you with records from another physician. I feel it is important for that doctor to mark those records. We put it in a separate place in the chart, so it is not mixed with our own records, so when the patient requests it back, it is there for them. The other thing that a provider can do is copy the pages that they need and then send home the records with the patient so that they always maintain their records.

Mr Rodriguez: Great, and, of course, I mentioned that doctors are entitled to charge, for example, for the costs of copying the medical record. Sometimes we do receive complaints where, for example, the fees might be unreasonable, or there is a fee for it as something that is not covered within HIPAA. That is why it is really smart to do what Michelle’s practice does, which is follow MedChi or similar standards, which provide clear rules of the road as to how to handle that.

Patients also have the right to request that information in their record be amended. For example, a patient who has received their medical record may see something in the chart that they disagree with, and they can submit a written statement of disagreement to their provider asking that that aspect be changed. The provider, depending on their judgment as to whether the correction sought is appropriate or not, can either grant the correction requested by the patient or deny the correction requested by the patient. If the patient disagrees with the doctor’s denial, then the patient can put a further statement in the record indicating that they disagree with the fact that the doctor denied them the correction that they sought. Michelle, do you see this frequently in your practice?

Dr Johnson: Luckily, we do not, but we do have standards set in place. We do have a HIPAA compliance officer, so if something like that were to happen, the patient would submit the statement, that would be placed in the patient’s record -- typically in a separate section -- so that we have that access available, and we are able to see that.

Mr Rodriguez: I think that most doctors’ experience is a lot like Michelle’s. It is not that frequent that patients actually ask for an amendment or a change in their record. It is for that reason that it is really important to have appropriate procedures in place for those rare times when these are requested.

I also heard you say that you have a HIPAA privacy officer, which is one of the things that is required under the HIPAA privacy rule, and it is really a great practice for having an organized way of complying with the HIPAA requirements. Can you tell us a little bit about what your HIPAA privacy officer does?

Dr Johnson: Leon, I think that is a really good point. When we found out that it was a requirement, sometimes practices will rack their brains. How am I going to employ another person to do another job? We are stretched very thin, but what we have found is, if we have dedicated our office manager, our HIPAA compliance officer, she is well versed in all of the policies and procedures, and she is always around, and she is always there. If there is ever a patient with a problem or a HIPAA issue, we are able to send that patient to her private office, close the door, and they can address these issues, and we find that works well for us.

Mr Rodriguez: Patients also have the right to know with whom their information has been shared, and this is what we call an accounting for disclosures. They cannot get an accounting for all disclosures under current rules; current exceptions include disclosures related to treatment or payment operations. On request, a doctor must be able to provide a report to a patient of all the entities with whom their personal health information was shared. Michelle, I understand that this is another area that is actually rarely seen in your practice.

Dr Johnson: Yes, this is actually rarely seen but we do have a typed form that if something like that were to happen. The person who released the information must sign and date it [with a record of what information was shared and with whom]. So we do have a policy in place.

Mr Rodriguez: Again, the same idea. Even though this is something that rarely happens, I think most providers have the same experience that Michelle does. It is important to have policies and procedures for these situations in place so that when they do occur, these issues can be handled in a HIPAA-compliant manner.

Patients also have a right to decide and control how their health information is used and shared. In particular, patients have the right to decide whether their information can be shared, such as with employers or with other entities that are not otherwise involved in their care.

Also, patients have a right to regulate, and doctors have a right to make judgments about when and under what circumstance their friends and family can receive their health information. A healthcare provider may also share information with these persons if, using their professional judgment, he or she decides that the patient does not object. Of course, this is something that happens a lot in obstetrics and gynecology.

Dr Johnson: It really is, in dealing with teenagers as well as pregnant women. When we are seeing a patient for the first time, we would like to identify those people that they allow their information to be shared with out front initially. If we have the opportunity, we will ask the patient in private, "Is there is anybody who can have access to your records besides yourself?"

If that situation does not arise, and we are in a room with a patient and the family, I try to ascertain what the atmosphere in the room is like. If I feel like there is a great relationship between the patient and the family, I will ask right in front of the family. I will redescribe the HIPAA privacy laws, and I will tell them, "If it is OK with you, I will be able to communicate with your mother or your father regarding your health information.” If I feel that the atmosphere is not conducive to that, I will wait until a later date and rediscuss that with the patient.

Mr Rodriguez: What about the situation where a patient tells you very explicitly, even, let us say, a teenage patient, “I do not want my mother hearing my conversation with you.” How do you handle that situation?

Dr Johnson: I think that is really good. Certain things are very benign. For example, if a patient is on birth control pills, and the patient is healthy and otherwise has no medical problems, I feel that can be kept private; however, if the patient expresses some concern about depression and probably suicidal ideation, I, as a health provider, can use my professional judgment and go against that HIPAA privacy and speak with her parents regarding that situation.

Mr Rodriguez: A few important points here. First of all, HIPAA is meant to be used in conjunction with a provider’s professional judgment. Michelle, like many doctors, makes judgments when she has a patient encounter, especially in the context such as labor and delivery, where things are happening very quickly. She makes judgments about whether the patient’s family members, the patient’s friends, are in a position where they should be able to hear the patient’s information.

When a patient explicitly says, "I do not want my information shared," under ordinary circumstances, a physician is expected to respect the wishes of the patient, except in those circumstances where a patient may pose an imminent threat either to themselves or to a third person. In that case, often professional codes either authorize or, in fact, require the healthcare provider to make a disclosure about that information.

Patients also have a right to restrict what is done with their information. HIPAA provides patients with the right to restrict disclosure of sensitive data that they do not want shared. For example, HIPAA provides patients with a right to restrict disclosures to health plans for treatment or services that they have paid for in cash, meaning you have no reason to disclose their information to the insurance company.

Some providers these days use electronic prescribing mechanisms, which means that the pharmacy may, in turn, be the ones to be notifying an insurance company about treatment or services that perhaps the patient would not want disclosed. In those cases, although it is not required, it is a good practice for providers to remind the patient that even though the provider they have spoken to will not disclose their information, they also need to have that same conversation with their pharmacy provider.

Patients also have a right to say how they want to be contacted. For example, they can tell a provider that they want to be contacted at a particular phone number or to tell them where a covered entity can or cannot leave a message.

Patients may also request that their health information, such as bills or lab reports, be received at a location other than their home address. Can you tell me a little bit about how your practice manages that?

Dr Johnson: Yes, Leon, I think that those are very important points. I think the contact information is very important. There are 2 examples that come to mind. The first example is whether or not you are scheduling a follow-up appointment for the patient. Many patients do not have any other family members whom they want to know that they are seeing a doctor for certain things.

When that happens, when our patient checks out, the providers at the front desk will ask the patient, "Is it OK to call you and leave a message to say that you have a follow-up appointment?" They will say “yes” or “no,” and we will note that in the computer so that their wishes are followed.

The second example that I can think of that is important is if I am giving test results. Let’s say a patient has had a biopsy. Is it OK to leave that message on the phone, or is it OK to give it to the husband or the family member that is with them? I will find out from the patient before I do that. After the procedure is done, I will specifically ask the patient, “How would you like your test results communicated?” I note that in the medical record.

Mr Rodriguez: This is all about patient autonomy and patient control over what happens with their health information. What makes this really important is that this has a lot to do with whether patients seek care or not. Many of the things that patients tell their doctors in confidence are because they trust that those things will not be disclosed to third parties. Very often, if they do not have that confidence, it may mean that they will not seek important care.

Another requirement under HIPAA for doctors is that patients be issued a notice of privacy practices. This is something that I am sure many of you are familiar with. The notice must describe your patients’ rights, including the right to complain to you if they believe their rights have been violated and the right to make those complaints without retaliation. The notice must be provided on the first visit, but you do not have to give it out every time that you see a patient.

Michelle, I am going to ask you a little bit about how your practice delivers the notice of privacy practices to your patients. I understand, for example, that you have a binder where it has the complete set of privacy rules and then also a folder that the patient can take with them. Can you describe when you use those 2 items?

Dr Johnson: Yes, Leon. When a patient first comes to the office, the secretary will give them the binder to view of our full, complete, HIPAA privacy rules. The patient is allowed to read those. Many patients are very knowledgeable about HIPAA already, and they do not want to read the binder. We actually will have them sign a paper that says that they have been given the HIPAA privacy notices and have received them, whether they have chosen to read them or not. The patients are also given a folder to take home with them that has our HIPAA compliance rules.

Mr Rodriguez: As I understand it, the paper that they sign, in fact, is put in their chart and becomes part of their chart.

Dr Johnson: The paper does actually become part of their permanent medical record.

Mr Rodriguez: One of the things that HIPAA requires is that the notice be posted in your office in a manner where people can see it. The example of offering the patients the notebook is an example of where patients would have ready access to that information.

Patients should also be given an option to take a copy home of the notice of privacy practices. This is another area where we sometimes do get complaints from patients. One, we get complaints that providers do not provide the notice, or we have had complaints that patients who are asked to sign a form stating that they received the form, but in fact, according to the patient, they never did get it. This is a relatively simple area with which to comply, so we really encourage providers to really be careful with these issues.

Another one of the critical provisions of HIPAA is that there be a way for patients to make complaints if they are dissatisfied, in some way, with how the privacy of their health information was handled. They have a right to make a complaint to the provider and to be free from retaliation. How do you manage that in your practice?

Dr Johnson: This is a very good point. As we stated earlier, our practice does have a HIPAA compliance officer, so let’s use an example; l like to use examples. Let’s say a message was left on the phone that the patient did not want her husband to get. We would put that patient immediately in contact with our HIPAA compliance officer. They will decide between themselves if they need an in-person meeting [to address the patient’s concerns] or if a telephone meeting was sufficient. The HIPAA compliance officer -- again, as I stated, that it was our office manager -- will go into her private office and try to address the issues and see how we can best accommodate that patient.

Mr Rodriguez: Another great example of the importance of that is the HIPAA compliance officer, who is, in fact, required under the regulations. There are also restrictions on the sale of protected health information, marketing using protected health information, and fundraising using protected health information, and some of those restrictions have become tighter under the HITECH Act that I described before.

For example, HIPAA prohibits the sale of protected health information without the explicit authorization of the patient. This restriction has significantly been tightened under the HITECH Act, and, also, HIPAA allows for patients to opt out of fundraising communications. This is not the kind of thing that ordinarily occurs in your kind of practice.

Dr Johnson: No, we do not see this very much at all.

Mr Rodriguez: In other kinds of practices, it may occur quite frequently; for example, in a hospital practice or in certain types of larger practices.

HIPAA now makes it easier -- and this is again talking about how it is about much more than just privacy and security -- for parents to permit providers to share their children’s immunization records with schools.

I want to talk, as we draw to a close, about the importance of a culture of compliance. It is really important for providers to emphasize that the privacy and security of their patients’ information is the responsibility of every employee in a particular practice. How do you do that in your practice?

Dr Johnson: I feel that you have to get the patient’s trust, Leon. I feel like there were a couple of things that you said that were very important. If you do not have that patient’s trust, the patient may not seek health care. If we are limiting patients from getting access to health care because they do not trust the providers, then we are not doing a service to our patients. I feel like establishing the patient trust, having set policies and procedures in place that your patients are readily able to see and identify are key things that will make a patient trust the physician and the practice. By following all of our policies and procedures, having our HIPAA compliance officer, explaining to the patient the HIPAA privacy rules, giving them a copy, and communicating with the patient, this is how we take care of that trust issue.

Mr Rodriguez: There are a number of important steps that providers need to take to ensure compliance with these important rules that we discussed before. It is important to have that HIPAA compliance officer, it is important to have policies and procedures, and also important to train your staff and to have a culture in your practice that lets the employees in your practice know that these rules are important. They are important because it is the law, but they are important, above all, because of what Michelle said: They are important for maintaining the patient’s trust and the care that they are receiving from your practice.

We have a lot more information on our Website that can be helpful to you in making sure that your practice is HIPAA-compliant. We invite you to go to ww.HHS.gov/OCR/HIPAA where we have guidance about a number of things that you can do to make sure that your practice is 100% in compliance with these important rules. Thank you for participating in this activity, and thank you, Michelle, for joining us today.

Dr Johnson: Thank you.

Mr Rodriguez: You may now take the CME post test by clicking on the earn CME credit link. Please also take a moment to complete the program evaluation that follows.