Frequently Asked Questions About Privacy
What disciplines within health departments are being used as privacy officers?
Is it permissible for the health director to be the privacy officer?
Is it permissible to continue using sign-up/sign-in sheets at the front reception desk?
Will there be templates available to assist local health departments?
Please provide some clarification on "minimum necessary."
Will the templates and handouts from the May privacy training be made available on-line?
Does HIPAA prohibit document imaging?
How much time is estimated to complete the NCHICA EarlyView Privacy tool?
Where in the HIPAA regulations does it say what material must be in locked file cabinets?
Please provide information on the sectional breakdown of the Privacy Rule.
Are employment records covered under HIPAA?
Will there be model privacy policies provided to health departments?
What is the difference between a consent and an authorization?
How is WIC affected at the local level by HIPAA?
Where in the Privacy Rule is shredding of documents addressed?
Q.
What disciplines within health departments are being used as privacy officers?
A. The most common disciplines being utilized within local health departments
are Quality Assurance/Improvement staff, nursing directors, nursing supervisors,
and medical records supervisors. Privacy officer duties will primarily
be focused on the development and implementation of organizational privacy
policies and procedures and adherence to the Privacy Rule.
Q.
Is it permissible for the health director to be the privacy officer?
A. Yes. The HIPAA regulations do not specify who should be the designee.
Refer to 164.530 for the duties and responsibilities required of the privacy
officer.
Q.
County auditors want all Explanation of Benefits (EOBs) and checks to
go directly to the county finance office. As EOBs contain identifiable
health information, where can a written legal opinion be obtained to submit
to auditors to prevent this practice?
A. Consult your local health department attorney.
Q.
Is it permissible to continue using sign-up/sign-in sheets at the front
reception desk?
A. According to the first Privacy Rule Guidance issued by the federal
DHHS on 7/6/2001, the use of sign-in sheets is not prohibited.
Q.
Will there be templates available to assist local health departments?
A. Yes. A sample authorization form and Notice of Privacy Practices may
be found on the Institute of Government web site at http://www.medicalprivacy.unc.edu/resources.htm.
A sample business associate agreement may be found on the web site of The N.C. Healthcare Information and Communications Alliance, Inc. (NCHICA) at http://nchica.org/HIPAA/Samples. When visiting this web site the first time, you will view NCHICA's "Sample Documents Disclaimer" page. After reading the disclaimer, scroll down to the bottom of the page and click on the "I Accept" button. On the next page, "HIPAA Sample Documents," scroll down and click on "Business Associate Agreement (contract)." The sample document is in Word format and may be downloaded and/or printed at your computer. (Be sure to read the "Disclaimer Page" on NCHICA's web site prior to using the business associate agreement." As with any legal document, it is advised to include local legal counsel review prior to implementing any agreement.
In addition, other
policy templates will be provided by the HIPAA Consultant, Division of
Public Health, Office of Local Health Services. The target date for having
all the policy templates completed is December 2002. Each policy template
will be distributed to all local health directors and HIPAA coordinators
as it is completed.
Q.
When seeing WIC clients that are private patients of physicians, what
do we need to do to be HIPAA compliant when calling the physician's office
to obtain height, weight, hemoglobin results?
A. If the client is the physician's private patient and has been referred
to the health department for WIC, it is the physician's responsibility
to obtain the appropriate consents and authorizations from the patient
in order to release information to the health department as that information
is part of the medical record belonging to the physician's office.
Q.
Our school health nurses are assisting the school system in revising the
student medical information form completed by parents at the beginning
of the school year. Is it permissible to collect health insurance and
Medicaid information on these forms?
A. As this form is the property of the local school system, it is best
to seek guidance from the local school system as they are required to
operate under other federal and state regulations that may take precedent
and prohibit the collection of this information.
Q.
Our nursing staff is revising in-house referral and followup forms for
teens. What should be included on these forms to make them HIPAA compliant?
A. It is recommended that forms not be revised until after the privacy
training being held in May 2002 by the Institute of Government. Templates
will be distributed during this training that will provide education on
the appropriate language to use when revising forms. To learn more about
the medical privacy training being planned visit the following website:
http://www.medicalprivacy.unc.edu/legal_training.htm
Q.
Many citizens in our county are adamant about demanding emails of county
employees because they feel the emails are public domain. To that end,
our county IS Director is seriously considering releasing emails to citizens.
Are you aware of this practice in other counties?
A. No. There are state and federal confidentiality laws concerning patient
privacy that require protection of patient confidentiality and protected
health information. Continue to work with the NC DHHS Legal Affairs Office,
Institute of Government, and especially your county attorney on this issue.
It would not be a good practice to begin releasing emails or other items
of concern without the guidance of your health department attorney.
Q.
Should the Environmental Health Section within the health department be
included in the HIPAA compliance efforts of the health department?
A. Yes. Although the Environmental Health Section does not bill electronically,
they are part of the covered entity that must protect the identifiable
health information within the covered entity. Environmental Health staff
does have identifiable health information within the lead abatement program
and during communicable disease outbreaks (such as foodborne illnesses).
Q.
Please provide some clarification on "minimum necessary."
A. Minimum necessary applies when using or disclosing protected health
information or when requesting protected health information from another
covered entity. A covered entity must make reasonable efforts to limit
protected health information to the minimum necessary to accomplish the
intended purpose of the use, disclosure, or request. Part 164.502(b)
Minimum necessary does not apply to disclosures to or requests by a health care provider for treatment providing the appropriate consents have been signed by the patient for treatment, payment, and other healthcare operations (TPO) upon admission for services. Part 164.502(b)(2)(i)(ii)
A covered entity must identify those persons or class of persons within their workforce who need access to protected health information to carry out their duties. The covered entity must make reasonable efforts to limit the access of such persons or classes who do not need access to protected health information to carry out their duties. Part 164.514 (d)(1)(2)
Q.
Do the HIPAA requirements require health departments to change from alphabetical
filing systems to numerical filing systems?
A. No.
Q.
Will the templates and handouts from the May privacy training be made
available on-line?
A. Yes. The templates and handouts are available at the Institute of Government's
web site at http://www.medicalprivacy.unc.edu/resources.htm.
Q.
Does HIPAA prohibit document imaging?
A. No; however, these records would become subject to the same HIPAA Privacy
Rule provisions as any other individually identifiable health information
within the covered entity.
Q.
Our health department is in the process of building renovation and we
are planning for shelving over cubicles where records are sometime stored.
Is it permissible to use open shelving over cubicles for storage?
A. Although this is not the best practice for storing records, if it is
the practice used, shelving over the cubicles should have doors with locks.
Q.
Are other county health departments hiring full time privacy officers
or are they assigning privacy officer duties to other positions?
A. There are several solutions being used in health departments across
North Carolina. A few may hire full time privacy officers but some are
shifting duties to allow for a full time privacy officer without creating
a new position. It seems the majority are adding this responsibility to
an existing position that also has other duties.
Q.
How much time is estimated to complete the NCHICA EarlyView Privacy tool?
A. The amount of time required to complete the tool will vary for each
agency. Presently, the tool includes 50 generic questions which are not
specific to public health. It is estimated that 4-8 hours will be required
to complete the tool depending on the following factors:
- Familiarity with the HIPAA regulations.
- The amount of preliminary work already completed within the agency.
- The size of the agency and the number of staff and sites to be involved.
Q.
How long will the reduced rate for the NCHICA EarlyView Privacy tool be
offered to local health departments?
A. No time limit has been set by NCHICA for local public health departments
to receive the reduced rate.
Q.
Our county uses GIS mapping to plot diseases in areas of the county. How
is this covered under HIPAA?
A. The rule for the standard and implementation specifications for the
requirements of de-identification of protected health information can
be found in Part 164.514, pgs 82818-81819 in the Federal Register.
Additionally, more detailed discussion on the de-identification of protected health information can be found in the Preamble, pgs 82542-82543, Reference Part 164.514 (a-c). This section contains specific criteria and alternatives for the de-identification of protected health information and aggregate data. Please refer to these sections for specific information.
Q.
Where in the HIPAA regulations does it say what material must be in locked
file cabinets?
A. In the Privacy Rule itself, there is no specific rule stating how you
should protect the privacy of health information. In the Privacy Rule,
page 82827 of the Federal Register, Part 164.530 (c)(1)(2), there are
two short paragraphs stating that the covered entity must have in place
appropriate administrative, technical, and physical safeguards to protect
the privacy of protected health information.
Much more clarifying information about safeguards is in the Preamble starting on page 82561, "Safeguards." On page 82562, second paragraph, there is more specific information about safeguards, particular methods, scalability, etc. This particular paragraph does cite an example of appropriate measures requiring documents containing protected health information being shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass-code. It is intended for this to be a common sense, scalable standard. The regulations specifically state that they do not prescribe particular measures covered entities must take to meet this standard. The regulations were intentionally written in a manner to allow agencies flexibility in achieving compliance on a scalable level.
On Page 82745, Comments Section, more information is available on safeguards, Part 164.530 (c). Much of this information discusses the relationship between the Security Rule and Privacy Rule relative to safeguards.
Q.
Please provide information on the sectional breakdown of the Privacy Rule.
A. Go to the following web site to print the entire HIPAA Privacy Rule
in the Federal Register. http://aspe.hhs.gov/admnsimp/Index.htm.
The original final Privacy Rule, published 12-28-00, is under the "National
Standards" section and then you must click on "Privacy Standards."
Then choose the PDF format. Be sure to use a high-speed printer as the
document is 367 pages in length. The web site will require you to print
the rule in sections. Be sure to print all sections.
After printing the Federal Register, you may want to add tabs on designated pages to assist you in navigating through the Federal Register. It certainly helps when trying to read the rule, the preamble, and the corresponding comments. Below are the sections and page numbers that will help when adding tabs to your copy of the Federal Register.
Section I - "Summary
& Background" - pages 82462 - 82474
Section II - "Preamble" - pages 82475 - 82565
Section III - "Comments" - pages 82565 - 82758
Part 160 Comments - pages 82565 - 82605
Part 164 Comments - pages 82605 - 82758
Section IV - "Impact Analysis" - pages 82758 - 82798
Section V - "Rule" - pages 82798 - 82829
Part 160 Rule - pages 82798 - 82802
Part 164 Rule - pages 82802 - 82829
Q.
The HHS web site has the Privacy Rule broken down into parts. Is there
a web site available that I can print the entire Privacy Rule at once?
A. After surfing the web at various sites, it seems that the lengthy rules
are listed in parts for convenience of printing.
Q.
Are employment records covered under HIPAA?
A. In the proposed revisions to the Privacy Rule, Part 164.501-Definitions,
(iii) has been added which states that protected health information excludes
individually identifiable health information in employment records held
by a covered entity in its role as employer.
Q.
Will there be model privacy policies provided to health departments?
A. The Office of Local Health Services has committed to providing sample
privacy policies to local health departments. The timeline for completion
is December 2002. As individual policies are completed, they will be distributed.
Q.
What is the difference between a consent and an authorization?
A.
- health care provider can deny treatment
- health plan may condition enrollment on provision of consent (if health plan chooses to obtain consent)
| Consent | Authorization |
|
Written consent required before direct treatment provider may use protected health information (PHI) for treatment, payment, or other health care operations (TPO) (with some specific exceptions.) |
Required for all non-TPO uses and disclosures not otherwise permitted by law Customized document that gives permission to use specified PHI for specified purposes or disclosure to third party |
|
If client refuses to sign consent: |
If client refuses to sign authorization, health care provider cannot deny treatment If client refuses to sign authorization, specified PHI for specified purpose can not be disclosed to third party |
|
Expiration date is not required |
Expiration date required |
| Can be in general language. | Must be in precise language |
Q.
How is WIC affected at the local level by HIPAA?
A. WIC is exempt from the HIPAA Privacy Rule. You may find this information
in the Privacy Rule in the Preamble, page 82479, middle column, center
of column where addressed are government funded programs that do not have
as their principal purpose the provision of, or payment for, the cost
of health care.
HHS has not provided any guidance on how to treat WIC when it is part of a covered entity.
The decision on how to treat WIC will depend on how your county and your health department decides to proceed with implementation. There are several options to consider when determining best practices.
- If your county or health department has declared itself a hybrid entity, WIC could be excluded from the health care component declaration. In this situation, WIC staff would not be part of the workforce of the health care component and would not have to comply with HIPAA and the WIC records should probably be separated from the client's medical record. However, an authorization from the client would be required to disclose protected health information to WIC from the health department unless the disclosure was for treatment, payment, or other health care operations. In this situation, WIC staff would not necessarily need to use the same authorization forms as the rest of the health department staff and would have their own set of policies and procedures. This practice would depend on the best practice method adopted by your health department.
- If your health department has been declared the "covered entity" that is not part of a hybrid entity, WIC could be declared part of the covered entity. WIC would then be part of the workforce of the covered entity and the workforce would comply with the same policies and procedures and use the same forms. In this situation, WIC records would not necessarily need to be separated from the client's medical record; however, this might be the best practice to use when trying to comply with the minimum necessary standard.
Q.
Can health departments be considered a small health provider if it has
receipts less than $5 million per year?
A. No. Health departments do not qualify as a small health plan and there
is no definition in HIPAA for a small health care provider.
Q.
At the May Privacy Officer training we were given a sample Notice of Privacy
Practices. On the last page it says if you have a complaint to contact
the office or the government agency. What do we put in those areas?
A. Part 164.520(b)(1)(vi) & (vii) states:
"Complaints: The notice must contain a statement that individuals
may complain to the covered entity and to the Secretary if they believe
their privacy rights have been violated, a brief description of how the
individual may file a complaint with the covered entity, and a statement
that the individual will not be retaliated against for filing a complaint.
Contact: The notice must contain the name, or title, and telephone number
of a person or office to contact for further information as required by
Part 164.130(a)(1)(ii)."
Part 160.306 states that the: (Please refer to this section in the Rule to be sure all the required elements are included as worded in the Rule.)
- Complaint must be filed in writing, either on paper or electronically
- Complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirement
- Complaint must be filed within 180 days of when the complainant knew, or should have known, that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause.
Contact information
for your covered entity and for filing a complaint with the Secretary
of HHS must be included. The present address for the Secretary is:
Secretary, Health and Human Services
Office of Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, DC 20201
Q.
If the health department and home health agency are located in the same
building, would one privacy officer cover both agencies?
A. In the Comments Section of the Privacy Rule, page 82744-45 of the Federal
Register, it states that there must be one point of accountability for
the covered entity's policies and procedures and compliance with this
regulation. If you have a lead privacy person in each of these sections,
one must be the privacy officer for the entire agency. An exception would
be if the agency has been designated as a hybrid entity and the covered
components had been identified as covered components. In this situation,
one privacy officer for each covered component would be appropriate.
Q. The employee in our health department that is going
to assume the responsibilities of the privacy officer is getting her RHIT
certification and will be officially classified as a Medical Records Manager.
Do we have to make her working title Privacy Officer?
A. Part 164.530(a)(1)(i) only states that a covered entity must designate
a privacy official. It doesn't mention anything about classifications
or titles within a personnel system. It seems that the personnel classification
doesn't have to be "privacy officer" as long as your staff knows
who the privacy officer is and can direct them to the appropriate person
when necessary. It seems that in this particular situation, this employee
will have dual work responsibilities. Also, Part 154.530(a)(2) states
that a covered entity must document the personnel designations of privacy
officer so be sure to have the appropriate documentation.
Q.
Where in the Privacy Rule is shredding of documents addressed?
A. In the Privacy Rule itself, there is no specific rule about shredding.
In the Privacy Rule, page 82827 of the Federal Register, Part 164.530(c)(1)(2),
there are two short paragraphs stating that the covered entity must have
in place appropriate administrative, technical and physical safeguards
to protect the privacy of protected health information.
Much more clarifying information about safeguards is in the Preamble starting on page 82561, "Safeguards." On page 82562, second paragraph, there is more specific information about safeguards, particular methods, scalability, etc. This particular paragraph address shredding; however, the regulations specifically state that they do not prescribe particular measures covered entities must take to meet this standard.
On page 82745, Comments
Section, more information is available on safeguards, Part 164.530(c).
Must of this information discusses the relationships between the Security
Rule and Privacy Rule relative to safeguards.
| FAQ Home Page | Electronic Data Interchange (EDI) |
| General Topics | Provider Identifiers |
| Security | Training |