20 Common HIPAA Myths Debunked

Common HIPAA Myths

In this post we cover some of the many HIPAA myths that have been circulating on the internet and often get talked about. In a lot of cases, healthcare employees are guilty of believing these HIPAA myths, so it is about time that these myths were busted.

These HIPAA myths have often arisen as a result of misinterpretations of the complex HIPAA Rules. Over time, these myths have gained traction and many people mistakenly believe that HIPAA is overly restrictive and prevents healthcare employees from doing their jobs or stops patients from exercising their legitimate HIPAA rights.

20 Common HIPAA Myths Busted

Healthcare professionals cannot be expected to have an encyclopedic knowledge of HIPAA Rules, and it is not necessary for all the intricacies of HIPAA to be understood. It is if you are a HIPAA officer, but not of you are a physician or nurse as you just need to know enough to be able to do your job without violating HIPAA Rules.

The HIPAA myths listed below are relevant to all healthcare workers. If you believe any of the HIPAA myths listed here, you could actually be violating HIPAA!

So enough of the preamble, lets get on with busting some HIPAA myths! 20 to be precise!

HIPAA MYTH #1 – HIPAA Applies to All Healthcare Organizations

HIPAA applies to all healthcare organizations that conduct healthcare transactions electronically. These HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses. The latter convert data from one format to another. In the digital age, virtually all healthcare organizations are required to comply with HIPAA as at least some transactions are conducted electronically.

HIPAA MYTH #2 – Copies of Medical Records Can Only Be Provided to a Patient or the Patient’s Caregiver

Copies of a patient’s medical records can be provided to anyone who has been named a personal representative of a patient. That could be a spouse, family member, caregiver, lawyer, or any other individual that the patient nominates as his or her personal representative.

HIPAA MYTH #3 – HIPAA Prevents Healthcare Providers from Sharing Patient Information with Family Members

HIPAA does not prevent healthcare providers from sharing information about a patient with members of the patient’s family. If the patient is present, information can be shared with friends and family members if the patient does not object. If the patient is incapacitated and, based on professional judgement, a healthcare employee believes the patient would not object to information being shared, it is permissible for information to be shared with family members, other relatives, or close personal friends of the patient. You should be aware that family members cannot be provided with a copy of a patient’s health records unless the patient has authorized this in writing.

If a patient has made it clear that information should not be shared with their family, or a specific person, then the patient’s wishes must be respected.

HIPAA MYTH #4 – Doctors are Prohibited from Emailing Patients

This is one of the most common HIPAA myths. Doctors and other healthcare professionals are permitted to send emails to patients. This myth may have arisen because many doctors do not want to email patients. It is also acceptable to send copies of patient health records via email, or to disclose healthcare information in emails. There is one caveat. Safeguards must be implemented to keep that information secure when it is transmitted over email. That means that emails must be encrypted.

If a patient requests a copy of their health information via email, and encryption for email is not available, healthcare providers must advise the patient of the risks associated with the transfer of information in that manner. If the patient accepts those risks, then it is perfectly acceptable to email the information without first encrypting it.

It is worth mentioning that care must be taken to ensure the email address is correct. If a patient’s electronic protected health information is sent to an incorrect person, that would be an impermissible disclosure and a violation of HIPAA.

HIPAA MYTH #5 – HIPAA Prohibits the Use of Sign-in Sheets

Patient sign-in sheets are permitted under HIPAA, but the information on those sheets must be restricted. They should not include any health information. For example, you should not include information about the reason for a visit, only the name, time, and provider name are acceptable.

HIPAA MYTH #6 – HIPAA Prohibits Family Members from Collecting a Patient’s Prescription

Pharmacies are permitted to give a patient’s prescription to a family member. Another individual can act on a patient’s behalf and can collect medical supplies, prescriptions, and even medical images, test results and other information containing the patient’s protected health information. A healthcare employee must use their professional judgement and determine that it is in the best interest of the patient.

HIPAA MYTH #7 – Patients’ Health Information Cannot be Used for Marketing Purposes

HIPAA does prohibit the use of protected health information for marketing purposes, unless authorization is obtained from the patient in advance, but certain marketing activities are expressly permitted. For instance, health plans can send information to plan members about alternative treatments or health plan related products. Such correspondence is not considered to be marketing, even if the health plan is paid to encourage patients to use an alternative product or service.

HIPAA MYTH #8 – If a Patient Refuses a Notice of Privacy Practices, Healthcare Services Cannot be Provided

Healthcare providers must provide patients with their Notice of Privacy Practices, but patients do not have to accept the document, read it, or sign it. A healthcare provider must provide the NPP and make a good faith effort to obtain a signature to acknowledge that the patient has received the NPP. If a signature cannot be obtained, treatment can still be provided.

HIPAA MYTH #9 – HIPAA Makes Fundraising Impossible for Healthcare Providers

HIPAA does not prohibit fundraising and disclosures of a limited amount of information to business associates for the purpose of fundraising is permitted. Demographic information and dates of healthcare provision can be disclosed to an individual for the purpose of raising funds, provided that the disclosures are detailed in the Notice of Privacy Practices and the patient has not opted out. Any correspondence for fundraising purposes must include information about how patients can opt out of further fundraising initiatives.

HIPAA MYTH #10 – You Have the Right to Obtain a Copy of ALL your Health Information

Healthcare organizations must provide patients/plan members with a copy of their health information on request, but some information can be omitted. Notably, psychotherapy notes will not be provided to patients and information about a patient may be withheld if it is believed the disclosure could cause a patient harm. The latter tends to apply to mental health records.

Under HIPAA, healthcare organizations must provide all health information contained in a designated record set. That will typically include all information that is used to make decisions about individuals, such as medical records, billing information, and medical images, but it does not include all information on a patient. For example, Information on patients that is only used for business purposes or for making business decisions will not be released.

HIPAA MYTH #11 – Doctors Cannot Send Medical Records to Another Healthcare Provider

Doctors can send medical records to other healthcare providers, and other entities, without patient consent. The HIPAA Privacy Rule permits disclosures for the purpose of treatment, payment, and healthcare operations without requiring consent from patients. That includes sending patient health records to other physicians for consultations and for referrals. Most other disclosures do require consent to be obtained in writing in advance. Notable exceptions are disclosures to family members, to law enforcement as part of investigations into criminal activity, to the Secretary of the HHS for the purpose of oversight investigations, and for public health activities.

HIPAA MYTH #12 – Healthcare Providers Cannot Sell Your Health information

This is not strictly true as your health information can be sold on, although before that happens it must be striped of all identifiers that tie that information to you personally. There are 18 identifiers that must first be removed. Your health information is then classed as de-identified health information, which is no longer covered by HIPAA Rules.

HIPAA MYTH #13 – Patients Cannot be Listed in a Hospital Directory Without Consent

The HIPAA Privacy Rule allows patients to be included in hospital directories without consent being provided, although a patient has the right to opt out. The information on the patient may include a name, location, and a general description of the patient’s condition: Critical, serious, fair, good, and undetermined for instance. That information can be disclosed over the phone or in person to anyone who asks about the patient by name. That information can also be disclosed to members of the clergy, unless a patient has specifically objected to such disclosures.

HIPAA MYTH #14 – The Media Cannot be Notified About the Status of a Patient

Healthcare providers can disclose basic information about a patient to the media without violating HIPAA. That information should be restricted to directory information as detailed above, provided the patient has not objected or opted out from such disclosures. Again, this applies when a request is made about a patient and the patient’s name is provided.

HIPAA MYTH #15 – Reporters that Publish Patient Information are Violating HIPAA

HIPAA Rules can only be violated by HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of those business associates. Newspapers, TV stations, and other media outlets are not HIPAA-covered entities or business associates, so their reporters cannot violate HIPAA Rules. If they obtain any patient information and publish the details, HIPAA Rules have not been violated by the reporter or media outlet, no matter where that information has come from. If a healthcare employee accesses medical records without authorization and provides the information to a reporter, it is the healthcare employee that has violated HIPAA not the reporter.

HIPAA MYTH #16 – You Cannot be Called by Name in a Waiting Room

This is one of the most common HIPAA myths on internet forums. It is not a HIPAA violation to call a patient in a waiting room by name as no health information is being disclosed. However, it is not permitted to call a patient by name and also state a health condition or any other health information. Don’t say, “Mrs Smith, please come to room 10 for your Chlamydia test”!

HIPAA MYTH #17 – All Health Information is Covered by HIPAA

This is not true. HIPAA only covers health information that is created, received, maintained, stored, or transmitted by a HIPAA-covered entity (healthcare provider, health plan, healthcare clearinghouse) or its business associates.

It is important to understand this in an age of health apps and wearable devices. Personal fitness trackers and other such devices and apps may collect similar or the same information as your doctor (blood pressure, heart rate, weight, etc.) but this information is not covered by HIPAA. The developer of a health app can use your data however they choose, provided they have told you about the uses and disclosures in their terms and conditions. The exception is when a device is provided by your healthcare provider. The manufacturer of the device would then be a business associate, and the data collected would be subject to HIPAA regulations.

HIPAA MYTH #18 – You Can Sue Your Healthcare Provider for a HIPAA Violation

If there is a data breach or your healthcare provider or health plan violates HIPAA, you cannot sue them for the HIPAA violation as there is no private cause of action in HIPAA. That does not leave you powerless. You have the right to report the violation to the Department of Health and Human Services’ Office for Civil Rights (OCR) and OCR will investigate. If a HIPAA violation has occurred, OCR can take action and that may result in a financial penalty or, in certain cases, criminal penalties.

You may be able to sue a healthcare provider for a “HIPAA violation” under state laws, provided a state law has been violated. Many states have implemented “HIPAA-like” privacy, security, and breach notification laws.

HIPAA MYTH #19 – Healthcare Organizations are Often Fined for Data Breaches

Data breaches can lead to financial penalties for healthcare organizations, but the penalty is not usually given for the breach itself, but for the HIPAA violations that contributed to the cause of the breach. Data breaches are investigated by the HHS’ Office for Civil Rights and, in the majority of cases, no action is taken or technical assistance is provided. OCR is well aware that not all data breaches can be prevented.

What OCR wants to establish, is whether reasonable and appropriate safeguards have been implemented and if HIPAA-compliant policies and procedures are in place and are being followed. If a breach occurs at a HIPAA-compliant covered entity, a financial penalty is unlikely to be issued.

HIPAA MYTH #20 – Healthcare Organizations Do Not Have to Send Health Records to Apps if Requested by Patients

Healthcare organizations are required to provide patients with a copy of their health information on request. This can be in paper form, but if an electronic copy is requested the information must be provided in electronic form if the healthcare organization has the technology to do so. If a patient wants their health information sent to a third-party app, a healthcare organization cannot refuse if the ePHI is readily producible in a format supported by the app. Refusal is generally only possible when the act of sending ePHI to the app poses a security risk to the healthcare organization. A healthcare organization is not responsible for further disclosures of ePHI once ePHI has been sent to an app.