A new eBook from the AAOS can help practices achieve and document compliance with HIPAA regulations.
Courtesy of iStock\Thinstock


Published 11/1/2015
Jonathan Krasner

What You Should Know About the HIPAA Privacy Rule

Make sure your practice is compliant

Headlines about data breaches draw attention to the Health Insurance Portability and Accountability Act's (HIPAA) Security Rule. However, its companion—the HIPAA Privacy Rule—is just as important.

Although the two rules work hand-in-hand, they are based on different concepts. The Security Rule oversees the mechanisms used to protect the privacy of electronic patient health information (ePHI), while the Privacy Rule focuses on the use and disclosure of that information. It is meant to ensure that PHI is properly protected while still allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being.

Getting started
The first step in implementing the HIPAA Privacy Rule in an orthopaedic practice is to designate, in writing, a privacy officer—the person responsible for enforcing the Privacy Rule in the office. For many practices, the privacy officer will be the same person as the HIPAA security officer.

Perhaps the most common encounter with the Privacy Rule is the Notice of Privacy Practices (NPP) that all patients sign when they are first seen in the practice. Practices should review their NPPs regularly to ensure they are up-to-date; the online version of this article provides links to model NPPs prepared by the Department of Health and Human Services that should be fine for most practices.

Under the Privacy Rule, patients have the right to obtain a copy of their medical records; patients may also request an amendment to the information in that record. Any amendment should be submitted in writing by the patient. The privacy officer can accept or deny the amendment. If the amendment is denied, the reason for the denial should be stated in writing and communicated to the patient.

Providers may not withhold access to records simply because a patient is behind in bill payments. Practices, however, may charge reasonable fees for the provision of records to patients.

The designated record set
When a patient requests his or her medical records, that does not mean that the practice must release all the information it has on the patient. The information that is released is called the designated record set (DRS). The DRS is a consistent standard of information that can be released and must be carefully defined. For example, the practice may submit information to patient registries. Although that information may be in the patient's file, it may not be in the DRS. Some electronic health record systems (EHRs) may even be programmed to recognize the DRS.

Sharing information
The Privacy Rule governs who can receive a copy of a patient's medical record. A patient has the right to restrict, in writing, who may receive his or her medical records, and how they would like to be contacted (phone number, where statements are mailed, etc.).

In the following situations, a patient's records can be released without patient authorization:

  • Treatment, payment, and operations. Although this is a routine part of practice operations, practices should make reasonable efforts to minimize the use and disclosure of PHI. For example, a biller should only disclose to an insurance company the information necessary to bill for an encounter.
  • Conversations with the patient's authorized representative (parent, guardian)
  • Working with a business associate (such as cleaning personnel, computer technicians, accountants, and anyone a practice hires who might have access to protected information)
  • Public health activities (such as reports aimed at preventing or controlling diseases)
  • Health oversight activities such as audits
  • A subpoena in a judicial or administrative proceeding—for more information about disclosure of PHI to law enforcement officials, see the link in the online version of this article.

The Privacy Rule allows covered entities (such as an orthopaedic practice) to share PHI with other individuals on behalf of a patient if it is in the best interest of the patient or the patient would not object. The following examples are instances in which the exercise of professional judgment may permit the sharing of PHI:

  • A patient brings a friend, family member, or interpreter to the appointment and into the treatment room.
  • A friend or family member will be caring for the patient at home after a procedure.
  • A doctor or nurse may discuss an incapacitated patient's condition with a family member over the phone.

Professional judgment should be used in conjunction with experience and common practice to make the proper decision in each situation.

An exception to the Privacy Rule exists with regard to de-identified information. For example, a practice that is participating in a study may disclose PHI as long as the information has been properly de-identified. With regard to pharmaceuticals, the following rules apply:

  • Practices may provide refill reminders to the patient and receive reimbursement from the pharmaceutical company equivalent to the cost of the communication.
  • Practices can also distribute marketing materials of nominal value, such as brochures, business cards, or pens.
  • However, practices may not provide patient lists to pharmaceutical companies for drug promotions without the patients' authorization.

Don't forget employees
Improper use of health information by a hospital's or medical practice's employees is the second most common cause of a HIPAA data breach and may result in significant fines and penalties. Medical records are worth a lot of money on the black market. Dishonest employees can use medical records for direct personal financial gain (illegally obtaining credit, for example) or can sell them to a third party. Both are egregious HIPAA violations.

To discourage this type of fraud and abuse and minimize its impact, the HIPAA privacy/security officer in each practice should regularly check the logs of employee access to the practice management and EHR systems to look for any abnormal patterns. Any HIPAA violation—security, privacy, or both—can result in substantial fines.

The HIPAA privacy rule comes into play every day in an orthopaedic practice. Administration and enforcement of HIPAA privacy is not overly difficult, but practices must take appropriate steps to ensure proper practice compliance.

Jonathan Krasner is the director of business development for HIPAA Secure Now! HIPAA Secure Now! provides a cost-effective and easy-to-use HIPAA compliance service for small and mid-sized practices.

Is your practice HIPAA compliant?
The HHS Office for Civil Rights (OCR) has found many physician offices that do not comply with the HIPAA Security Rule. Consequently, OCR is conducting random HIPAA audits to assess not only provider compliance with the Security Rule but also compliance by their business associates.

In addition, the Office of Inspector General has started its own security audit program to determine if organizations attesting for EHR meaningful use are as compliant with HIPAA as they contend. The AAOS has developed a HIPAA Security and Risk Assessment Manual to assist orthopaedic practices with achieving and documenting HIPAA security compliance.

More information on the new HIPAA Security Risk Assessment Manual (eBook).