Hyperlinks to supplemental content are provided, should you wish to read more about a particular topic.  This extra material is optional.  It is not covered on the associated course quiz.  The supplemental content will usually be presented in a new browser window, which you may close at any time.

For the recommended reading sequence for these materials, see the HIPS Series Overview.

Approximate reading time for this course is 13 minutes (exclusive of linked content). The quiz for this course is here.

•  •  •  •  •

If you are a practicing clinician, we know you are very busy.  We want you to understand why you have been directed to spend time on these additional privacy-related materials.

As discussed at length in the introductory privacy course, protections for health information are required by Federal laws, such as HIPAA.  Every state also has its own requirements.  So do private certification organizations, such as JCAHO.

You must have broad access to health information to carry out your duties as a clinician.  It is required that you know how to protect that information, and that you understand the particular legal limitations that apply in clinical care settings.

As you have learned, treatment is one of the "big three" functions for which the federal HIPAA regulations require no written authorization.  Uses and disclosures for treatment, payment and a long list of health care operations are generally allowed by HIPAA without specific permission from the patient. 

At least as far as federal law is concerned, persons who wish to be seen at or admitted to a health care facility must surrender almost all control over information for these three purposes. 

At present, HIPAA extends "extra" protection to only one category of clinical information.  Use or disclosure of psychotherapy notes requires authorization in many circumstances. 

It has been broadly anticipated that a next version of HIPAA might address categories such as genetic information, but nothing is on the horizon.  There has been much recent activity at the state level in this area, however, adding to the protections discussed in the next section.

As you also learned, state health privacy requirements that are more stringent remain in force.  That means, in many states, a general requirement for consent to information access remains in force, even for treatment, payment or core health care operations. 

If required, this consent for information use and disclosure will typically be bundled with the consent for treatment itself.  Such consent forms are usually signed when the patient registers for the first time -- and, depending on the interpretation of state laws, perhaps at each subsequent visit too.   

Because most states' statutes also accord extra protection to information categories like AIDS/HIV, genetic, mental health and substance abuse information, separate specialized consents for use or disclosure may be required for these. 

For minors, it is common to have exceptions to the general rule of parental control over information -- e.g., for STDs and pregnancy-related information -- depending on the level of emancipation.  This is a particularly complex area of health privacy, so consultation with local experts is strongly recommended if you have pediatric patients.

Both HIPAA and states' statutes tend to give treatment providers a large amount of latitude in their handling of information.

Reflecting this, disclosures for treatment purposes are exempt from HIPAA's minimum necessary standard, so that clinicians can feel completely free to exchange information amongst themselves without constraint.  Uses for treatment are still bound by minimum necessary, but the requirement gets a liberal application in treatment contexts.

If that distinction gives you a headache -- and we can certainly understand why it might -- then it may be easier just to think of the minimum necessary standard as applying to all treatment contexts, but in a particularly "light" way that reflects the extra discretion given to clinicians.

What does this mean in practice?  Simply that your longstanding professional obligation to provide complete information to others participating in a patient's treatment, in furtherance of the quality of that care, is not adversely affected by HIPAA.

Perfect privacy is rarely possible, and it is particularly difficult to achieve in a busy clinical practice.  Accidents happen -- or, to use the official language of the HIPAA regulations, incidental uses and disclosures happen.

It's required that a clinical facility take reasonable steps to keep such incidentals to a minimum -- what the regulations call "appropriate safeguards."   But it is not required that a state of zero-privacy-defects be achieved.

Accepting "incidentals" does not mean that negligence is excused.  Reasonable safeguards have to be in place and reasonably used. 

Safeguards include everything from locks on the doors (a "physical" safeguard) to computer passwords (a "technical" one).  It also includes policies and procedures, and training on how to follow them (included in the category of "administrative safeguards").

No set of safeguards works without individuals simply behaving safely every day.  That means something as basic as taking care not to be overheard when you converse about a patient.  It includes attention to how you exchange information via such old-fashioned devices as telephones and fax machines, as well as relatively new-fangled conveniences like electronic mail. 

For this reason, basics information security training is essential for everyone who works in a clinical setting.  (The necessary content for that task is provided in the security series courses.)

You may be wondering at this point why you need to spend time thinking about things like safeguard categories -- especially when most of the handing of office equipment and the minutiae of computer information systems falls to others.

There are two reasons: 

• First, as a clinician you have broader access to patient health information than anyone else.  (And, for the reasons discussed, you are on a very loose leash.) 
   
• Second, clinicians tend to set the tone for everyone else's behavior -- even when they don't intend to.  If you are casual about privacy and security issues, that may be taken as the de facto standard by your co-workers.

As noted, HIPAA currently extends special protections to only one kind of health information: psychotherapy notes.  States' laws, as also noted, usually extend special protections to many categories -- in addition to mental health, information related to AIDS/HIV, STDs, genetic tests, and substance abuse.  Disclosures in these categories generally require separate authorization.

Beyond these, HIPAA permits patients to request special protections or confidential communications mechanisms for information they consider especially sensitive (as a part of their rights with respect to their health records).

It is not the clinician's province to decide if the information in question really merits designation as sensitive.  That is the patient's call.  It is the clinician's responsibility to decided if the extra protections or communications security is practical in a given clinical setting.

"Practicality" is in part a technical matter -- given what the treatment facility's information systems allow.  It is also a clinical matter, since extra restrictions might present risks to quality or continuity of care.

As noted in the introductory course, the reality of HIPAA is that once a person enters a US health care facility, they have ceded control to that institution and its employees for a broad range of uses and disclosures. 

As a clinician, you will almost certainly be a part of controlling treatment-related uses and disclosures.  You may also have a role in information use related to payment or health care operations.

In the (relatively few) circumstances where the patient retains control, the general rule is a simple one:  If the person controls a decision about treatment, he/she controls decisions about the information associated with it.  Where the patient is too young or mentally incapacitated, a personal representative can decide on his/her behalf.

As a clinician, you may be involved in asking the patient about permission to discuss his/her condition with family members, or about inclusion in a facility directory.  This is one area where patients get to choose (and for which HIPAA requires only oral assent or refusal).

You may also be involved if a patient is being approached regarding "extra" uses like research -- either as a conduit for the request, or as someone the patient consults about the appropriateness of such an authorization.

Patients must receive their HIPAA-mandated privacy notice the first time they appear at a clinical facility, prior to an encounter with a direct treatment provider such as yourself.

Most patients simply sign the acknowledgement-of-receipt for the Notice and move on.  But some are prompted to read it and a few will even ask questions about it. 

Like it or not, you will at times be put in the position of being a patient's privacy advisor.  Indeed, the notice-and-acknowledgement process is explicitly intended to create an "initial moment" during which patients can discuss their particular privacy questions and concerns with care providers. 

You need to know enough about privacy protections to have an intelligent conversation about the basics. You also need to know where in your organization to send patients if questions arise that you and your staff are unable to answer.

That includes knowing the basic facts about the patient's rights of access/copying, correction/amendment, disclosure accounting, special protections and communications, and authorizations for supplemental uses like research, marketing and fundraising. 

And, perhaps most importantly, it includes an understanding of the process for filing complaints (e.g., who the privacy official is, and how to reach him/her).  Why?  Because patients with problems are likely to bring them to a clinician first -- someone with whom they already have a trusting relationship. 

Is isn't usually expected that you'll fix a patient's privacy problems personally.  It is expected that you will make sure the patient is able to find someone who can.

When you and other treatment providers participate in creating the data in a patient's record, you are creating a record that jointly "belongs" to many parties: among them you, to be sure, but also the facility in which you practice, health oversight organizations at various levels, and, most critically, the patient.  

It is yours in the sense that you are an author of its content (and may have some control over who else may be a co-author of the particular records set), and because one or more copies of it may reside in physical or electronic records repositories under your control.

It is the patient's in the sense that he/she has certain rights with respect to it -- access, amendment, and so on.

It is a mistake -- both logical and legal -- to regard a medical record as any one party's "property."  Rights and obligations with respect to it are shared among many parties.

Some practitioners can still remember a time when patients were the last people who'd ever get to see the contents of their own medical records.  The federal rights granted by HIPAA mean those days are over.

The new open-ness means that the patient's record is no longer a place to put "private" comments not intended for the patient's eyes.  Whatever you put in a record -- unless it is in the category of psychotherapy notes -- expect that the patient will see it sooner or later.

Instead of focusing on the "loss" of the practitioner's privacy in this regard, the expansion in patients' access to their records can be seen as an opportunity for more collaboration with the patient.

There's no reason to make a patient file a formal request to see what is in their health record.  That opportunity should be provided as a matter of course.

Here are the key points:

(1) Under HIPAA, treatment uses and disclosures do not require written authorizations from patients.  State law may require it, however.

(2) Treatment uses and disclosures are only lightly-bound by the minimum necessary rule that covers other types of information access, giving clinicians broad latitude.

(3) Perfect privacy is not required, but clinicians must take reasonable steps to keep "incidental uses and disclosures" to a minimum.  (And otherwise, set a good example.)

(4) Clinicians should be prepared to help patients find answers to questions about privacy issues.

•  •  •  •  •

• Other courses in the HIPS series
• Copyright
• Disclaimer

  Last modified: 20-Apr-2006 [RC]