Add To Cart

Privacy and Confidentiality in the Therapeutic Relationship

HIPAA Privacy Regulations Overview & Update

(No Questions are in this Introductory Section
for Questions 13 and 14 go to Section #13)

Table of Contents


HIPAA Overview & Update
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare. The goals and objectives of this legislation are to streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse, and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.

HIPAA regulations are organized into three primary areas:
1. Privacy: Regulations have been finalized which set forth general rules for the uses and disclosures of individually identifiable health information by providers and others

2. Administrative Simplification: Regulations have been enacted which create uniform standards and requirements for the electronic transmission of health information. (Electronic Date Interachange)

3. Security: Regulations have been finalized which require providers and others who maintain health information to maintain the security and integrity of individually identifiable health information.
Who Must Comply?Regardless of whether you are the sponsor of a group health plan, HIPAA applies to you as an employer, if you use protected health information to make employment decisions such as hiring, administering FMLA (Family Medical Leave Act) leave, ADA (Americans with Disabilities Act) accommodations, conducting drug screening and conducting fitness-for-duty exams. You’ll need to comply as soon as possible to protect yourself from

Patient Privacy April 14, 2003
The Privacy rule requires covered entities to implement formal policies, procedures and best practices regarding who has the right to access patient identifiable health information.
The Privacy rule requires covered entities to implement formal policies, procedures and best practices regarding who has the right to access patient identifiable health information. The rule covers all individually identifiable health information in the past, present and future, regardless of the form – including oral, written and electronic. The Privacy portion of HIPAA includes numerous requirements which protect the patient's rights, including:
- limit the use and release of private health information without prior consent
- give patients new rights to access their medical records and to know who else has accessed them
- restrict most disclosure of health information to the minimum needed for the intended purpose

Who must Comply? The Privacy regulations have been finalized and are due by all covered entities April 14, 2003, with the following exception: Small Health Plans (A Group or individual Health plan with less than 50 participants) have until April 14, 2004.

Electronic Data Interchange (EDI) Administrative Simplification October 15, 2003

HIPAA requires a common format and data structure be used when exchanging specific transaction types, code sets and Identifiers electronically. Status: Finalized Compliance Date: October 15, 2003

What is it? Many healthcare providers and health plans already use Electronic Data Interchange (EDI) when exchanging data with their business partners. The DHHS estimates there are over 400 formats currently being used, making standardization almost impossible. In order to perform EDI efficiently, HIPAA requires a common format and data structure be used when exchanging specific transaction types, code sets and Identifiers electronically.

Who must Comply?
--If you currently transmit identifiable patient information electronically, you must comply with the HIPAA regulations. If you are not EDI compliant, you should have filed for an extension Oct. 15, 2002.
--If you filed for the extension, you must be in compliance with EDI by Oct. 16, 2003.
--If you did not file, you are expected to be compliant with EDI today and could be subject to fines.
Health plans are required to have the capability to send and receive all HIPAA transactions now or by Oct. 16, 2003, if you filed for an extension.
Medicare will not accept paper claims after Oct. 16, 2003, with the following exception: If you have less than 10 employees, you are allowed an exception.
Other payers will follow suit and require electronic transmission

HIPAA Security April 20, 2005

The Security rule requires covered entities that maintain or transmit Patient Identifiable Data to develop and implement formal policies, procedures and best practices that will safeguard the integrity, confidentiality, and availability of its electronic data.
Hipaa Regulations: Security Status: Finalized Compliance Date: April 20, 2005

What is it? The Security rule requires covered entities that maintain or transmit Patient Identifiable Data to develop and implement formal policies, procedures and best practices that will safeguard the integrity, confidentiality, and availability of its electronic data. The Security Standards include numerous requirements under the following four categories:
--Administrative procedures to guard data integrity, confidentiality, and availability. Documented, formal practices that will protect data and manage the conduct of personnel with regards to patient data. This includes items such as Business Agreements, Chain of Trust Agreements and Contingency Plans.
Physical safeguards to guard data integrity, confidentiality, and availability. Protection of physical computer systems and related buildings and equipment from fire, environmental hazards or intrusion. This covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities.
--Technical security services to guard data integrity, confidentiality, and availability patient data. This requirement includes access control, audit controls and system requirements that must be put in place to protect information and to control individual access to information.
--Technical security mechanisms - processes that are put in place to guard against unauthorized access to data that is transmitted over a communications network. This covers items such as alarms, audit trails and access controls over the network.

HIPAA Resources Government Sponsored Sites
The HHS site has all the government regulations, Questions & Answers, and meeting minutes available to download.
The HHS web site on HIPAA happenings; including a place to sign up for a free government e-mail newsletter on HIPAA news.
This URL from Guide to Healtcare Schools allows an organization to determine through a self-administered short questionnaire if they are a covered entity or not.
HHS released this useful summary fact sheet entitled “Protecting the Privacy of Patients Health Information.” Protections and enforcement rules are explained in the document.

HIPAA Resources Private Sector Sponsored Sites

This is a long-standing private sector organization dedicated to fostering widespread support for the adoption of electronic commerce within healthcare. They have led the effort in advising HHS in implementing HIPAA and other electronic standards. This site gives access to background papers, industry white papers, and links to many other HIPAA sites.
AFEHCT serves as a healthcare industry association dedicated to supporting the use of EDI and improving and reducing the cost of health care. The AFECHT site offers access to the papers coming out of its various HIPAA related work groups as well as links to member sites and a "library" of HIPAA related papers.
General information on health law, not limited to HIPAA issues. The Current in Health Law section includes ways to sign-up for the Health Law Highlights -- free, weekly news update.
Association of developers of electronic health records; the intent is to promote the development and acceptance of Electronic Medical Record (EMR).

Common Sense Privacy Practice Procedures to review with your staff:

1. Patient information of any nature is confidential. This includes information from or about medical records, tests results, appointments, and referrals. Even a patient’s presence at our medical practice offices should not be disclosed

2. Staff must not discuss patient information with anyone who is not involved in the patient’s care and entitled to receive such information. Do not discuss patient information with your family members, friends, in a social conversations, etc. Such breaches of privacy/ confidentiality may subject employees to disciplinary action, including termination.

3. When in doubt, do not disclose patient information until you ask your supervisor or the Privacy Officer for for Clarification (emergency situations may be an exception).

4. As a general rule, patient information may be disclosed when specifically authorized by the patient; when it is necessary for purposes of treatment, payment, or health operations; or when required by law. But there are rules that apply to each— disclosure for purposes of treatment, payment and health operations, and patient authorizations.

5. Be aware of confidentiality when answering patients questions, providing test results, making appointments making referrals, checking insurance eligibility, obtaining prior approvals, etc.

6. As general rule, an adult patient’s information cannot be released to a patient’s spouse or other family member without the patient’s authorization. For example, if a patient’s husband calls asking for the results of his wife’s pregnancy test - or other test results – our policy is to tell them that “we are sorry, but we cannot release information without the patient's specific, written authorization.”

7. Patient information regarding an adult child should not be disclosed to a parent without the patient’s authorization.

8. For minors, patient’s information cannot be released to third parties without the consent of the parent or the patient’s legal guardian.

9. Employees should not allow medical information on computer monitors to be visible to patients.

10. Backups of computer files will be maintained by the Privacy Officer and one other designated individual in a fireproof safe.

11. Do not disclosure your passwords to anyone, including other employees. Passwords will be assigned by the Privacy Officer, changed at appropriate intervals, deleted when an employee leaves or is assigned to another position, reissued when there is a concern that passwords are not secure, etc.

12. Keep patient charts, encounter forms, and other documents face down. Never leave such documents where unauthorized persons can see or take them.

13. Use special receptacles marked Patient Information to Be Shredded when disposing of any written material that may contain protected patient information.

14. Place medical records, test results, etc., in slots in exam room doors so that they face the door or wall. Speak softly to others in person or over the phone. Try to avoid stating the patient’s name whenever possible.

15. Receptionists should change the sign-in sheet to a new page at least hourly. Do not allow or require patients to write the reason for the visit on sign-in sheet. The fact that an individual is a patient at this medical practice is confidential information.

16. Whenever possible, speak to patients about their medical information in private offices and exam rooms. Do not discuss the patient’s condition, reason for the visit, and the like in the waiting area or in front of those not involved in their care.

17. When making an appointment, ask the patient where they may be reached to confirm the appointment, ask questions, or for other purposes. 

18. If you call the patient to confirm an appointment, provide test results, etc., and they are not available, simply leave a message stating for them to call you. If you get an answering machine (voice mail), simply leave a message with your name and phone number.

19. Unless you are sure we have the patient’s permission to release information, do not do so. Unless you have the need to know, do not ask patients why they are here, what problems they are having, and the like.

20. If you pull medical records, file information, etc., do not read any more information than necessary to complete the task at hand. For example, if you are asked to pull a patient’s chart, you do not need any more information from the chart than the patient’s name and medical record number. If you are asked to find certain information in the chart, do not read any more information than necessary.

21. Information about employees that receive care will be considered confidential just as if they were a patient who is not employed by this medical practice.

22. When you see patients outside the office, do not ask specific questions from your knowledge of their patient information

URLs for two extensive search engines are and

HIPAA Privacy Rule and Sharing Information Related to Mental Health
- U. S. Department of Health and Human Services. (n.d.). HIPAA Privacy Rule and Sharing Information Related to Mental Health. U. S. Department of Health and Human Services, 1-13. Retrieved October 22, 2018.

Section 13
Table of Contents